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Honorable Richard H. Truly 
Administrator 
NASA Headquarters 
Washington, D.C. 20546 

Dear Admiral Truly: 

The Aerospace Safety Advisory Panel (ASAP) is again pleased to submit its Annual 
Report. This report covers the period from February 1991 through January 1992 and 
provides you with findings, recommendations, and supporting material. We ask you to 
respond only to Section II, "Findings and Recommendations. 

During the past year, we have been gratified by the continued prudent approach NASA 
has shown with respect to Space Shuttle operations. We also are encouraged by the 
improvements we have seen, particularly in the area of Shuttle processing. Although 
more work needs to be done in this area, you certainly appear to be on the right track. 
We also view the revised Space Station Freedom Program as a welcome improvement 
and a realistic course to follow. 

In spite of these gains, however, we are distressed by the actions taken with respect to 
the Space Shuttle Main Engine (SSME). In particular, we disagree with the decision to 
cancel the development of the hydrogen alternate turbopump and large throat main 
combustion chamber. It is the Panel’s consensus that improvements such as these are 
indispensable to the safe continuation of the Space Shuttle Program for the next 20 to 30 
years and would contribute more to safety and reliability than any other identified 
propulsion improvement. In fact, we consider a comprehensive and continuing program 
of safety and reliability improvements in all areas of Space Shuttle hardware and 
software to be an essential component of maintaining successful operations. As a safety 
advisory panel, we cannot support the elimination of important safety and reliability 
improvements and urge you to reconsider the advanced turbopump and large throat 
main combustion chamber projects. 

Very truly yours, 



Norman R. Parmet 
Chairman 

Aerospace Safety Advisory Panel 
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I 


INTRODUCTION 


In 1991, NASA continued successful 
Space Shuttle flights and restructured 
the Space Station Freedom Program 
(SSFP) with a downsized design. This 
design involved significantly lower 
technological and operational risks than 
the earlier versions. The Aerospace 
Safety Advisory Panel (ASAP) 
monitored these activities as well as 
NASA’s aeronautical programs at NASA 
installations and contractor facilities. 
Specific topics that were examined in- 
depth by the Panel included Space 
Station organization, Space Shuttle 
structures, Space Shuttle processing, 
design and manufacturing plans for the 
Advanced Solid Rocket Motor (ASRM), 
Space Shuttle landing performance and 
the need for an operational autoland 
capability, Space Shuttle logistics, loads 
and overhaul plans, and aeronautical 
flight research programs. 

The results of the Panel’s activities are 
presented, as in previous years, in a set 
of findings and recommendations, which 
are in Section II of this report. Section 
III is composed of "Information in 
Support of Findings and 
Recommendations." Appendices in 
Section IV provide a listing of Panel 
members, the NASA response to the 
findings and recommendations contained 
in last year’s report, and a chronology of 
the Panel’s activities during the 
reporting period. 


This report highlights both 
improvements in NASAs safety and 
reliability activities and specific areas 
where additional gains might be 
realized. One area of particular 
concern involves the curtailment or 
elimination of Space Shuttle safety and 
reliability enhancements; it is addressed 
by several findings and 
recommendations. The Panel considers 
this essential to the continued successful 
operation of the Space Shuttle. 
Therefore, it is recommended herein 
that a comprehensive and continuing 
program of safety and reliability 
improvements in all areas of Space 
Shuttle hardware/software be 
considered an inherent component of 
ongoing Space Shuttle operations. 

During 1991, Joseph F. Sutter retired 
from the Panel after serving as its 
Chairman and, most recently, as a 
consultant to it. Paul M. Johnstone and 
John A. Gorham joined the Panel as 
consultants. 
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II. FINDINGS AND RECOMMENDATIONS 
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II 


FINDINGS AND RECOMMENDATIONS 

A. SPACE STATION FREEDOM PROGRAM 


Finding #/■’ During the past \\ years, 
Space Station Freedom (SSF) has 
undergone a reconfiguration involving 
many technical changes and program 
deferrals. These changes were 
highlighted in the Aerospace Safety 
Advisory Panel’s (ASAP’s) March 1991 
report. Some of the changes affect risk 
and safety while others influence 
serviceability and usefulness. 

Nevertheless, the SSF design that has 
emerged is more realistic and capable of 
supporting a stable development 

program. 

Recommendation til Safety and risk 
considerations should remain of 

paramount importance in the 
development of the reconfigured Space 
Station. 

Finding The ASAP March 1991 

Annual Report characterized the Space 
Station Freedom Program (SSFP) as 
plagued with technical and managerial 
difficulties and lacking an effective 

systems engineering and integration 
organization. Significant developments 
have occurred in the ensuing year. In 
particular, there has been a clarification 
of system engineering and systems 
integration responsibilities among NASA 
Headquarters and the Centers. Also, 
key managerial assignments have been 
delegated to appropriate Centers. The 
new arrangement benefits the program 
by drawing on the substantial technical 
expertise of the Centers’ staff members 
not specifically assigned to the SSFP. 


Recom m endation #2: The changes 

introduced in the systems engineering 
and integration management areas 
should be monitored to ensure that the 
new arrangement is effective and that 
maximum use is made of each Center’s 
particular capabilities. 

Finding #-?•• NASAs current policy is 
not to leave a crew on the Space Station 
without an attached Space Shuttle or 
other assured return capability. At 
present, there is no program to develop 
a dedicated assured return vehicle. 
However, using an Orbiter as an assured 
return vehicle on long-duration missions 
reduces the number of Space Shuttles 
available for other purposes and raises 
potential safety and reliability issues. 

Re commendation #3: NASA should 

continue studies to explore various 
options for assuring a safe return 
capability from SSF leading to the 
selection of a preferred option in a 
timely manner. 

Finding #4: Use of preintegrated truss 
(PIT) sections for SSF greatly simplifies 
on-orbit assembly. However, the 
capture latch, guide pins, and motorized 
bolts used to couple the assemblies may 
not always be in proper alignment. This 
could lead to damaging the guide pins 
or bolts thereby precluding mating. 

Recommendation #4: The PIT 

development program should consider 
actual hardware tests to verify the 
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assembly process to be used in orbit. 
These tests should encompass the full 
range of misalignments, tolerances, and 
impacts that might reasonably be 
expected to occur when the truss is 
assembled with the actual equipment 
and procedures to be used. 

Finding jt5l Software for the Data 
Management System (DMS) represents 
one of the major challenges to meeting 
the intensive delta design review (DDR) 
schedule. 

Recommendation # 5 : The DMS 

software development process should be 
monitored closely to ensure it is 
compatible with the existing DDR 
schedules. 
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B. SPACE SHUTTLE PROGRAM 



Finding #<5: The results of flight tests 
indicate that the turbulent flow over the 
body flap creates a spectrum of hinge 
moments greater than that used in the 
original structural fatigue analysis. It 
also has been determined that an 
additional load path exists from the flap 
to the supporting structure. Further, the 
flap actuators were found to be more 
flexible than originally assumed. 
Additional tests are to be conducted to 
evaluate hinge moments and actuator 
flexibility. 

Recommendation #6: NASA should 

evaluate, as rapidly as possible, the 
results of the new tests and loads 
analyses to reestablish the allowable 
number of flights for the body flap. 

Finding #7: NASA has developed a 

Shuttle Modal Inspection System (SMIS) 
for detecting changes in stiffness in 
structural/mechanical systems due to 
factors such as wear or cracking. The 
SMIS has shown good results when used 
on the Orbiter body flap and elevon 
systems (including actuators and 
supporting structures). However, It is 
not a complete replacement for more 
conventional nondestructive inspection 
(NDI) methods. These conventional 
methods are capable of detecting cracks 
in primary structures with a "critical 
crack length" too small to cause a 
detectable change in stiffness and hence 
be measurable by SMIS. 


Recommendation #7: The SMIS 

procedure should be used only to 
augment more conventional NDI 
methods. 

Finding #8: Thermal protection system 
tiles are inspected for damage after 
every flight by specially trained and 
highly experienced inspectors using 
tactile techniques. These inspectors 
determine if the tiles are loose and help 
to identify problems in step and gap. 
The current procedure is largely 
qualitative and highly dependent on the 
skill of the individual inspectors. 

Recommendation #8: A program to 

select and train new inspectors should 
be instituted to ensure the availability of 
an adequate cadre of qualified 
inspectors throughout the life of the 
Orbiters. In addition, further effort 
should be applied to the development of 
a quantitative inspection technique. 

Finding #9: The Space Shuttle Program 
requires both turnaround and periodic 
major Orbiter overhaul functions. 

Recommendation #9: Overhaul and 

major modification efforts should be 
organizationally and functionally 
separated from routine turnaround 
operations because of the different types 
of planning and management skills and 
experience required. 
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Finding #10: The Space Shuttle design 
presently includes an automatic 
approach guidance system that requires 
crew participation and does not control 
all landing functions through touchdown 
and rollout to wheel stop. The present 
system never has been flight tested to 
touchdown, but a detailed test objective 
for such a test is in preparation. The 
availability of a certified automatic 
landing system would provide risk 
reduction benefits in situations such as 
weather problems after de-orbit and 
Orbiter windshield damage. 

Recommendation #10: Future mission 

plans suggest the potential for 
significant risk reduction if the present 
Space Shuttle automatic landing 
capabilities are fully developed and 
certified for operational use. System 
development should include 
consideration of hardware, software, and 
human factors issues. 

Finding #7 1: NASA continued its 

software independent verification and 
validation (IV&V) activities during the 
year. This independent review has 
demonstrated its value by finding failure 
modes that previously were unknown. 
The Safety and Mission Quality 
organization has taken on greater 
responsibilities for software safety. 

Recommendation #71: NASA should 

continue to support a software IV&V 
oversight activity. The present process 
should be reviewed to ascertain whether 
it can be streamlined. The IV&V 
oversight activity should include the 
development of detailed procedures for 
test generation. NASA should not 


attempt to duplicate, through IV&V or 
otherwise, the actual performance of all 
verification and validation tests. 

Finding #12: The new Space Shuttle 

general purpose computer (GPC) 
apparently has performed well. The 
Single Event Upsets (SEUs) were no 
more numerous than expected. Based 
upon NASA’s model of SEUs, the 
accuracy of the predictions is excellent, 
and supports NASAk estimate that the 
probability of an SEU-induced failure is 
negligibly small. Nevertheless, there 
still is concern about the eventual 
saturation of usable memory on the 
GPC. 

Recommendation #12: NASA should 

initiate a small study on alternatives for 
future GPC upgrades and/or 
replacements. This should involve other 
NASA organizations that have been 
studying computer evolution. 

Finding #13: The replacement of some 
requested software upgrades with crew 
procedures is a matter of serious 
concern particularly when the functions 
addressed could be handled with greater 
reliability and safety by software. The 
crew already has to cope with a very 
large number of procedures. 

Recommendation #13: NASA should 

conduct a thorough review of all crew 
procedures that might be performed by 
the computer system to determine 
whether they are better done manually 
by the crew or by the software. Human 
factors specialists and astronauts should 
participate. 
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SPACE SHUTTLE MAIN ENGINES 
(SSME) 

Finding #14: There are currently a 

sufficient number of flightworthy engines 
to provide each Orbiter with a flight set 
as well as provide an adequate number 
of spares. 

Recommendation #14: Maintain this 

position. 

Finding #/5: The SSME component 

reliability and safety improvement 
program, designed to enhance or sustain 
the current component operating 
margins, has made progress towards 
achieving its objectives. The high- 
pressure fuel turbopump (HPFTP) has 
completed its certification. Changes to 
the two-duct powerhead have eliminated 
injector erosion, but more work is 
needed to reduce main combustion 
chamber (MCC) wall damage. The 
process for producing the single-tube 
heat exchanger has been developed, and 
heat exchangers are being installed for 
testing. The high-pressure oxygen 
turbopump (HPOTP) changes were less 
successful in meeting service-life 
objectives, but an operational 
workaround to reduce turnaround time 
for the HPOTP has been implemented. 

Recommendation #/5: Continue the 

development of these reliability and 
safety improvements. Complete their 
certification as expeditiously as possible. 

Finding #16: The development of the 
large throat main combustion chamber 
(LTMCC) and Advanced Fabrication 
Processes for the SSME have been 
discontinued. Both of these efforts 
eventually would have led to 
significantly enhanced safety and 
reliability of the SSME. 


Recommendation #16: Restore these 

important safety-related programs. 

Finding #17: The Alternate Turbopump 
Program has made major progress 
toward achieving its objectives despite 
design problems uncovered during 
design verification systems (DVS) and 
component development tests. Engine- 
level tests have begun for both 
turbopumps. The value of heavily 
instrumented test items run on the E-8 
component test stand has been 
demonstrated clearly, as evidenced by 
the rapid identification of problem 
sources and the development of design 
changes to overcome them. NASA has 
opted to delete the work on the 
alternate HPFTP and to continue only 
the development on the alternate 
HPOTP with the intent to use it, when 
certified, in conjunction with the current 
HPFTP. While such a configuration is 
feasible, such usage will not achieve the 
increase of operating margins in the 
engine system to the levels desired and 
advocated by program and propulsion 
specialists. 

Recommendation #17: Restore the 

alternate HPFTP development. 

SOLID ROCKET MOTORS 

Finding #18: NASA previously has 

investigated the possibility of developing 
a new, low-temperature elastomeric 
O-ring material to eliminate the need 
for the field joint heater assembly on 
the Redesigned Solid Rocket Motor 
(RSRM). None was found that was 
compatible with the grease used during 
assembly. The material (GCT Viton) 
being developed for the Advanced Solid 
Rocket Motor (ASRM) O-rings has 
proper elasticity down to 33 ° F. 
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Recommendatiori #18: NASA should 

evaluate the ASRM O-ring material 
(GCT Viton) for use on the RSRM to 
eliminate the field joint heaters and 
their installation. 

Finding #19: The full-scale ASRM 

propellant manufacturing facility may 
not be directly scaleable from the 
continuous mix pilot plant. Particular 
problem areas relate to the particle size 
of the propellant and the screw pump 
section of the rotofeed. 

Recom m endation #19: Scale-up of the 
ASRM propellant manufacturing plant 
should be scrutinized closely by NASA 
to ensure that safety and schedule are 
not compromised. 

Finding #20: An ambitious automated 
process is planned for the ASRM 
propellant mixing and casting. This 
process will be largely computer- 
operated with human operators serving 
primarily as initiators and monitors. 
This will place significant demands on 
the design of the operator interface of 
the system to ensure an effective and 
safe allocation of tasks and 
responsibilities between humans and 
computers. 

^commendation #20: The ASRM 

program should develop task and 
functional analyses of the human 
operator’s role in the solid rocket 
manufacturing process and the operator 
interface with the computer system with 
emphasis on safety aspects. 

Finding #21: Development of the 

ASRM case and its manufacturing 
processes includes a number of new 
methods and materials. For example, a 
new steel case material with associated 
plasma-arc welding and repair 


techniques and automated internal 
stripwinding of the insulation are part of 
the design. 

Recommendation #21: Due to the 

extensive use of new materials and 
processes in ASRM case manufacturing, 
NASA should monitor the associated 
development test program carefully to 
ensure that safety is not compromised. 

Finding #22: NASA has decided not to 
improve the current aft skirt design to 
meet the original design specification of 
a factor of safety of 1.4. NASA now 
believes that a 1.28 factor of safety is 
adequate because the loads are well- 
defined. 

Recommendation #22: Due to the lower 
factor of safety on the current RSRM 
skirts and the planned use of the same 
skirt on future ASRMs, NASA should 
task its safety organization to monitor 
the loads/strains measured during 
launches to establish a truly credible 
data base for the statistical justification 
of the lower factor of safety. 

Finding #23: Logistics development for 
the ASRM is being pursued. All related 
major contractors and NASA groups are 
actively participating. Planning 

documents for support equipment, 
training, and transporting the motor 
elements are being prepared. 

Recommendation #23: Continue the 

early and thorough consideration of 
ASRM logistics issues. 

LAUNCH AND LANDING 

Finding #24: Several landing anomalies 
were experienced during the past year, 
including an extremely short landing on 
STS-37. Careful examination of the 
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causes of these anomalies led to 
significant operational improvements. 

Re commendation #24: A continuing 

analysis of landing performance should 
be undertaken to include hardware, 
software, personnel functions, and 
information transfer. Continued 

improvement in all areas related to 
landing safety, including use of wind 
data and automatic guidance, should be 
sought as part of the movement to shift 
more landings to the Kennedy Space 
Center (KSC). 

Finding #25: In spite of significant 

advances over the past year, there is still 
a need to improve the effectiveness of 
launch processing at KSC. It is rare 
when a vehicle is taken to the pad and 
launched without delays. Subsystem 
problems sometimes either require 
rolling the vehicle back to the Vehicle 
Assembly Building (VAB) or they cause 
delays at the pad. 

Recommendation #25: Continue efforts 
to improve the effectiveness of launch 
processing operations. Each occurrence 
of a problem at the pad should be 
reviewed to determine why it was not 
caught in the VAB or Orbiter 
Processing Facility. 

Finding #26: Morale among launch 

processing personnel at KSC improved 
over the past year. This most likely is 
the result of a heightened sense of 
individual responsibility, improved 
systems training, and a better 
supervisory/management approach. 

Recommendation #26: Continue and 

expand the approaches that have been 
successful over the past year. 


Finding #27: Operations and 

maintenance instructions (OMIs) have 
shown improvement. However, recent 
over-pressurization of a solid rocket 
booster (SRB) hydraulic tank has been 
attributed to an improperly written 
OMI. It also has been noted that an 
apparent excess of signatures still is 
needed in the paperwork generation and 
revision process. 

/fe commendation #27: Effort should 

be continued to improve the quality of 
OMIs. This should include the 
generation, review, and revision of the 
instructions. Efforts also should be 
made to reduce unnecessary signature 
requirements and consolidate paperwork 
systems. 

Finding #28: The use of task teams at 
KSC appears to be working well. 

Recommendation #28: The task team 

approach should be expanded as 
planned. In addition, coordination 
among task teams should be improved. 

Finding #29: Procedures for tracking, 

analyzing, and providing corrective 
action for hardware problems arising at 
KSC are complex and lengthy involving 
numerous entities. There is no overall 
coordination effort to ensure that 
appropriate corrective action is taken. 

Recommendation #29: The Space 

Shuttle Program should establish a 
coordinating function that is responsible 
for ensuring that proper and timely 
action is taken by responsible 
organizations in correcting problems 
that occur during launch preparation. 
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Finding #30.' The Shuttle Processing 
Data Management System II (SPDMS 
II) has not yet provided many of its 
anticipated benefits. This may be 
because prospective users have not been 
fully involved in its design. Various 
temporary subsystems have emerged and 
are being used. However, these may be 
difficult to integrate into the final 
design. 

Recommendation #30: Designers of the 
SPDMS II system should directly involve 
users in the system’s design and 
implementation. In particular, care 
should be exercised to ensure that the 
various subsystems now being used 
successfully are included in the final 
design. 

Finding #37: The Orbiter logistics and 
support program appears to be 
exhibiting a steady trend of 
improvement. The component overhaul 
and repair facility has been enhanced, 
and personnel skills have been 
upgraded. This has improved the 
control of such issues as cannibalization, 
serviceable component spares levels, and 
replenishment of spares stocks. 
However, support of Orbiter OV-105 
(Endeavour) has caused extra effort in 
the latter months of the year and 
undoubtedly will continue to do so in 
1992. 

Recommendation #31: This excellent 

program should be continued with 
particular attention on the possible 
impacts of servicing OV-105. 

Finding #32: Coordination among 

NASA Centers and contractors on 
logistics and support is excellent. This 
is due in large part to the activities of 


the Integrated Logistics Panel (ILP), 
which meets at various locations at 
approximately 4-month intervals. 

Recommendation #32: NASA should 

continue to support the excellent work 
being performed by the ILP. 

Finding #33: Transfer of critical 

management skills and authority to the 
NASA Shuttle Logistics Depot (NSLD) 
and to KSC under the Logistics 
Management Responsibility Transfer 
(LMRT) Program is continuing. 
However, in some instances, funding 
limitations are slowing the process. 
Memoranda of Agreement (MOA) 
documents that establish details of 
transfer arrangements between such 
Centers as the Johnson Space Center 
(JSC), Marshall Space Flight Center 
(MSFC), and KSC are being revised or 
finalized. 

Recommendation #33: It is important 

that the centralization of authority and 
equipment at KSC continues as planned 
under the LMRT concept. 

Finding #34: NSLD is consolidating its 
activities at Cocoa Beach and is having 
a positive effect upon the critical issue 
of repair turn-around time (RTAT) for 
line replaceable units (LRUs). It 
provides protection against threats of 
unavailability of repaired or overhauled 
units in many cases in which the original 
manufacturers are no longer providing 
support. RTAT data support the 
importance of the proximity of the 
NSLD facilities to KSC. 

Recommendation #34: The NSLD is 

essential to the efficient support of the 
Space Shuttle fleet and should continue 
to be supported at its current level. 
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Finding #35: Cannibalization (or the 

removal of working components from an 
Orbiter to meet shortages in another 
vehicle) has been the subject of much 
management attention. With a few 
persistent exceptions such as auxiliary 
power units (APUs), cannibalization 
rates now have been reduced to a 
commendably low level. 

Recommendation #35: Maintain rigid 

controls on cannibalization. This will be 
particularly important to accommodate 
the absorption of OV-105 into the 
operating fleet next year. 

Finding #36: The reduction of 

component RTAT has been subjected to 
as much management scrutiny as 
cannibalization and has, perhaps, an 
even greater economic and support 
effect upon Orbiter capability. 

Recommendation #36: There can be no 
relaxation of the vigilance entailed in 
the pursuit of this cost-sensitive 
problem. Therefore, continue to keep 
the tightest control over the RTAT 
problem. 


Finding #37: The problem of stock 

inventory held at or below minimum 
established levels is becoming critical. 
This is largely due to introduction of 
OV-105 and to major modification 
programs to other Orbiters. 

Re commendation #311 Establish 
stocking recovery programs as soon as 
possible. 

Finding #38: The problem of providing 
replacements or substitutes for parts or 
components that are now out of 
production will inevitably worsen with 
each passing year. In many cases, 
original equipment manufacturers 
(OEMs) are unwilling or unable to 
regenerate small batch production. 

Recommendation #3ff: It is essential to 
try to anticipate potential shortages 
before they impact the program. 
Although this problem currently is being 
addressed by NASA, increased 
management pressure is needed to avoid 
a potential launch rate problem in the 
future. 


15 


C. AERONAUTICS 


Finding #39: The Panel was pleased to 
note the promulgation on August 12, 
1991, of NASA Management Instruction 
(NMI) 7900.2 on aircraft operations 
management. This NMI and a 
companion delineation of aviation safety 
requirements in the basic safety manual 
are needed steps in the establishment of 
a total safety management organization 
and Agency-wide philosophy of aviation 
safety for administrative aviation. 

Recommendation #39: Incorporate 

aviation safety requirements in the basic 
safety manual as soon as possible to 
ensure that NASA personnel have a 
common reference for administrative 
aviation safety requirements. 
Completion of a Headquarters 
organization to coordinate flight policies 
throughout NASA is needed. 


Finding #40: Management of NASAs 

aeronautical flight research continues to 
place strong emphasis on flight safety. 
Procedures for review and approval of 
the flight programs [from project 
conception through Flight Readiness 
Reviews (FRRs)] are adequate to 
ensure full awareness of the major 
safety issues involved in each project. 

Recornmendation #40: NASA’s 

aeronautical flight research should 
continue to be given strong support at 
appropriate levels to maintain a safe 
program for preserving the nation’s 
dominance in the aeronautical sciences. 
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D. OTHER 


Finding #41: Crew members working 

on the Space Shuttle for extended 
periods have experienced difficulties 
achieving sufficient sleep. This problem 
is magnified when two shift operations 
are conducted. These problems are 
similar to those experienced by aircraft 
flight crews in long-haul operations. 

Recommendation #41: NASA should 

support a program of research and 
countermeasure development on crew 
rest cycles and circadian rhythm shifting 
to support both Space Shuttle and Space 
Station operations. This program could 
be modeled productively after the 
ongoing NASA aircrew research. 

Finding #42: Despite acknowledged 

examples of contributions to aviation 
safety analyses through human factors 
research, NASA has not marshalled its 
resources in this field to study similar 
problems in spaceflight orbital and 
ground operations. Efforts in this arena 
have been stymied by a lack of 
appreciation of its potential value and 
the absence of clear guidelines 
regarding programmatic responsibilities. 

Recommendation #42: In view of the 

anticipated increase in manned 
spaceflight activity during the present 
decade involving joint Space Shuttle and 
Space Station activities, NASAs human 
factors resources should be marshalled 
and coordinated effectively to address 
the problems of risk assessment and 
accident avoidance. 

Finding #43: NASA has a hierarchy of 
reporting systems for mishaps and 
incidents that defines investigation 
procedures/responsibilities and provides 


for developing lessons learned. These 
reporting systems function quite well for 
relatively serious accidents, incidents, 
mishaps, and near-misses. NASA does 
not have a system analogous to the 
Federal Aviation Agency’s (FAAs) 
Aviation Safety Reporting System 
(ASRS) for collecting self-reports of 
human errors that do not lead to an 
otherwise reportable event. 

Recommendation #43: NASA should 

examine ways to encourage self-reports 
of human errors and to analyze and 
learn from data and trends in these 
reports. Inclusion of coverage of the 
need for human-error reporting in task 
team training with an associated method 
for analyzing the reports could prove to 
be an excellent method for collecting 
this information. 

Finding #44: The Tethered Satellite 

System (TSS) program was plagued by 
two quality control problems during the 
year. One problem was a failure of the 
bonding between the rotor of the 
vernier motor and the cork clutch 
material. The other problem was 
associated with an error in identifying 
heat treating requirements for 15-5 
stainless steel. Installed components 
using this steel that was not heat treated 
should require a waiver before clearance 
to fly is granted. Failure of 15-5 steel 
pins in the concentric damper negator 
motor or tower tabs could potentially 
impact safety. 

Recommendation #44: A complete 

review of the TSS quality assurance 
program should be conducted before 
flight in addition to the already initiated 
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examination of the suitability of the 
suspect parts. 

Finding #45: Existing plans for Space 
Shuttle missions such as the Hubble 
Space Telescope (HST) repair, and the 
assembly and maintenance of the 
downsized SSF, highlight potential 
benefits from the use of an improved 
spacesuit and extravehicular mobility 
unit (EMU) to replace the existing suit 
and portable life support system (PLSS). 
Limitations inherent in the design of the 
present system could pose operational 
for safety problems on these and future 
missions. The AX-5 and Mark 3 
research and development programs 
have provided an excellent basis for 
implementing a new, improved design 
for extravehicular activity (EVA) 
equipment. Compatibility of the new 
suit designs with the existing PLSS 
potentially provides a cost-effective 
upgrade path. 

Recommendation #45: NASA should 

reconsider the specification and 
development of a new suit and EMU 
based on the information developed in 
the AX-5 and Mark 3 programs. NASA 
should acknowledge the need for a new 
suit and EMU as soon as possible and 
establish its development and 
implementation schedule consistent with 
budget availability. Use of a new suit 
with the existing PLSS specifically 
should be examined as an interim safety 
improvement step. 

Finding #46: Determinants of the risk 
of bends during EVA activities have not 
been fully researched. Existing 
prebreathing protocols are based on 
ground-based pressure chamber tests 
and scuba diving tables. A significant 
safety uncertainty could be removed if 
the specific effects of micro-gravity EVA 


conditions on nitrogen bubble formation 
were determined and documented. 

Recommendation #46: NASA should 

support the research necessary to 
characterize more fully the bends risk 
associated with micro-gravity EVA 
activities using its extensive expertise at 
the research centers and the data 
collection opportunities available during 
on-ground simulations and Space Shuttle 
flights. 
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INFORMATION IN SUPPORT OF FINDINGS AND 

RECOMMENDATIONS 

A. SPACE STATION FREEDOM PROGRAM 


Ref: Findings #1 through #3 

Space Station Freedom (SSF) has 
undergone a major restructuring. 
Difficult issues in program content and 
operations have been realistically 
confronted. Nevertheless, SSF remains 
a very complex program involving three 
NASA development Centers, three 
international partners, a significant 
ground integration, and launch 
responsibility for the Kennedy Space 
Center (KSC) and numerous 
development and support contractors. 
Figure 1 depicts the overall program 
plan and organizational responsibilities. 
An outline of the administration of 
program policy and direction is shown in 
Figure 2. 

Geographically dispersed locations and 
fragmented levels of responsibility have 
contributed to management complexity, 
especially in the systems engineering 
and integration area. Management has 
attempted to mitigate this situation by 
combining the systems engineering and 
systems integration responsibilities into 
a single office at Reston, Virginia (Level 
II) and delegating specific 
implementation authority to the field 
centers as outlined in Figure 3. The 
field managers, in administering their 
responsibilities as Level II staff, have at 
their disposal the technical and 
administrative resources of their Centers 
as well as staff members specifically 


assigned to that office. At the same 
time, they are close to the Level III 
activity at the Centers where the 
development responsibility resides. The 
activity at the Marshall Space Flight 
Center (MSFC) shown in Figure 4 is an 
illustration of this arrangement. 

The Elements Integration Office 
Manager at MSFC (Level II) reports 
programmatically to the Manager, 
System Engineering and Integration 
Office (Level II) located in Reston, 
Virginia, and attends Level II meetings 
and briefings with managers from other 
Centers. The manager’s relationship 
with the Space Station Projects Office 
(SSPO) at MSFC (Level III) remains a 
typical Level II /III interface. The 
advantage of the arrangement is in the 
personnel allocations. The Elements 
Integration Office Manager has a staff 
of 13 people supported by Grumman, 
the Space Station Engineering and 
Integration Contractor (SSEIC), which 
has approximately 80 staff members 
assigned to the MSFC Element 
Integration Office. In addition, as a 
consequence of being located at MSFC, 
the manager also can enlist a full range 
of specialists from the Science and 
Engineering Directorate as needed. 
Similar arrangements exist at other 
Centers. 
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Figure 2. Space Station Freedom Program Organization 
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Figure 3. Space Station Freedom Program and Operations 
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Changes also have been effected in 
Level II activity at Reston. The new 
management structure is in place and 
has established clear responsibility 
among the various organizations and 
program levels. Grumman, SSEIC to 
NASA Level II at Reston, is now 
undertaking a realistic integration role 
in addition to the supporting function it 
has been serving. Communications 
between NASA and SSEIC have 
improved greatly. For instance, SSEIC 
personnel now attend the SSF meetings 
of key NASA integration managers from 
which they previously were excluded. 

The SSF design changes have had some 
impacts on safety and risk. For 
example, use of a preintegrated truss 
(PIT) structure (see below) greatly 
should reduce risks associated with the 
extensive extravehicular activities 
(EVAs) required by erection of the 
previous design. On the other hand, the 
elimination of two nodes reduces the 
available egress paths and, hence, likely 
increases risk. Overall, it appears that 
the program has struck a reasonable 
balance between reduced cost and 
complexity and the acceptance of an 
appropriate level of risk. 

Ultimately, the operational risks 
associated with SSF will depend to a 
great extent on the availability and type 
of emergency assured crew return 
capability. The issue of providing such 
a capability from SSF continues to 
challenge NASA. There are several 
options under study including the 
development of a dedicated "lifeboat" 
and utilizing the Space Shuttle. Other 
factors that may influence selection of a 
final design include the possible use of 
an expendable launch vehicle and 
associated personnel carrier that could 
be utilized as a return vehicle. Studies 


of these various alternatives are only 
partially complete. Current information 
appears to be insufficient to select a 
preferred approach. 

Ref: Finding #4 

The use of truss segments, which are 
preintegrated with distributed systems 
and verified on the ground instead of 
erected on-orbit, has reduced technical 
risk and made the Space Station a more 
viable program. The preintegrated truss 
members (PIT) must be heavier than 
the original truss elements per running 
foot because the entire mass of the PIT 
is subjected to launch loads. 

PIT members are aluminum I-beams 
bolted together instead of the more 
flexible graphite composite elements 
that previously were part of the design. 
The heavier construction allows Orbit 
Replaceable Units (ORUs) to be 
located in their optimum positions for 
accessibility. 

Table 1 compares several features of the 
restructured and original SSF designs. 

One benefit of the restructured design is 
that EVA time has been reduced 
considerably so that EVA targets are 
now feasible. This has been 
accomplished by reducing the demand 
for EVAs and increasing the efficiency 
of those that must be performed. 
Examples of changes that positively 
impact EVA in addition to the use of 
the PIT are: 

• Providing tools and equipment 
for independent and/or parallel 
EVA operations 

♦ Enhancing the utility of EVA 
support equipment 
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TABLE 1 

SSF Assembly and Operational Capability 


Preintegrated Erectable 

(After Jan. 91) (Before Jun. 90) 


Truss 

315 ft. 

479 ft. 

Sections/Bays 

7 Sect. 

29 bays 

Assembly 

Elements 

17 

122 

Lab/Hab 

Modules 

27 ft. 

44 ft. 

Nodes 

2 

4 

Cupola 

1 

2 

All International 
Elements 

Yes 

Yes 

Assembly 

Flights 

16 

18 

Man-Crews 

4 

8 

KW-Power 

56.25 

75 

• Locating ORUs to 

simplify EVA 


operations 

• Simplifying the Mobile 
Transporter. 

In the assembly of the PIT sections on- 
orbit, a capture latch provides final 
alignment by engaging guide pins after 
the sections are brought into proximity 
by the Space Shuttle remote 
manipulator arm. Motorized bolts then 
make the final latch-up. There is a 
chance that these sections may not line 
up correctly; therefore, damage may 
occur to the guide pins and bolts when 
the motorized bolts engage. Because 
the PIT sections will be assembled on 
the ground, the opportunity exists to test 
the alignment and mating procedures 
prior to flight. 

The SSF restructuring has eliminated 
some risks and hazards inherent in the 
previous design, but has introduced the 
following new ones: 


• The provision of only one airlock 
instead of two. Loss of node #2, 
which contains this airlock, would 
severely hamper EVA activities. 

• A totally "open race track" 
making it impossible to have dual 
egress paths. 

• The reduction of the atmospheric 
pressure to 10.2 psia, which 
increases fire risk due to the 
increased partial pressure of 
oxygen. 

Although the hazards analyses are 
proceeding well, many potentially 
serious items still are contained on the 
critical item lists. These should be 
reduced or eliminated as the design 
process progresses. 

Ref: Finding #5 

The basic architecture and functions of 
the data management system (DMS) 
have not changed significantly with the 
most recent restructuring of the SSF 
design. Originally, the DMS 

components exceeded their power 
allocations. The current DMS design 
almost meets its weight, power, and 
volume allocations. 

Although the DMS hardware design 
seems to be proceeding as planned, the 
software is still a great challenge; it is 
one of the pacing items of the program. 
To meet the present delta design review 
(DDR) schedule, 17 DDRs will have to 
be accomplished in 1992. This may not 
be possible unless software development 
keeps pace. 
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B. SPACE SHUTTLE PROGRAM 


llllli 

Ref: Finding #6 

Photoanalysis of the STS-28 (OV-102, 
Columbia) flight showed larger body 
flap deflections than were calculated. 
The flaps are in a turbulent flow field, 
which creates a hinge moment spectrum 
greater than that used in the structural 
fatigue analysis. The loads are all 
within the structural limits, but the 
fatigue analysis shows a reduction of 
allowable flights from 100 to 77. 

After the higher hinge moments were 
observed, additional ground tests were 
conducted using recalibrated strain 
gages on the body flap actuator as well 
as additional instrumentation on the 
rotors and stators. Three types of loads 
were applied. It was discovered that an 
additional load path existed back 
through the driving gear to the 
supporting structure. The original 
equations assumed only four load paths 
at the actuators. With a fifth load path, 
it is necessary to develop a new set of 
equations. It also was discovered that 
the actuators were more flexible than 
originally assumed and that the OV-102 
(Columbia) actuators were more flexible 
than those on OV-103 (Discovery) and 
OV-104 (Atlantis). This is attributable 
to increased tooth width on the OV-103 
and OV-104 actuators. Additional tests 
are planned to further evaluate the body 
flap structure. 


Ref: Finding #7 

To apply traditional inspection 
techniques, such as visual and X-ray 
methods, disassembly frequently is 
required. Therefore, a Shuttle Modal 
Inspection System (SMIS) has been 
developed to augment more 
conventional structural inspection 
techniques. Although not a replacement 
for conventional inspection processes, 
SMIS is capable of finding some defects 
without the need to disassemble the 
system being tested. 

SMIS uses changes in structural 
dynamics characteristics to detect 
problems such as wear of actuators, 
honeycomb debond and cracks in 
primary structure that are large enough 
to change stiffness. Actual modal tests 
experienced on OV-102 and OV-103 
have proven the benefits of this system 
to detect structural damage. To apply 
SMIS, each Orbiter part must be tested 
to establish baseline modal information 
to serve as a standard to determine if 
structural changes have occurred. 

Currently, it is planned to use SMIS on 
a regular basis for data acquisition and 
analysis of Orbiter body flaps after 
every fifth flight. 
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Ref: Finding #8 

In the past, tile bonding process controls 
and bond verification testing were used 
to ensure the integrity of the thermal 
protection system and identify 
substandard bonds. Approximately 
20,000 to 27,000 tiles were tested on 
each individual vehicle. Typically, only 
13 to 64 tile bond failures were found. 
Initial checkout of OV-105 (Endeavour) 
has shown only 13 failures. 

Use of such bond verification testing has 
been discontinued because it was 
determined that tactile and visual 
inspection techniques by specially 
trained and experienced inspectors 
provided adequate results. These 
"Wiggly" tests depend on the sensitivity 
of the inspector’s touch to determine if 
tiles are loose. The inspectors also 
examine and measure step and gap 
dimensions. Such tile inspections are 
conducted before each flight. 

Tile inspection clearly is dependent on 
the availability of skilled inspectors. 
New quantitative methods could be 
devised to reduce the dependency on 
qualitative human inspections. These 
likely will take some time to develop. 
Therefore, new inspectors must be 
trained well in advance of their need to 
support the Orbiter flow. 

Ref: Finding #9 

The Space Shuttle Program has 
commenced its first major Orbiter 
overhaul cycle with work on OV-102 
(Columbia) at the Rockwell Palmdale 
facility. Future overhauls and major 
modifications on the other Orbiters 
presently are scheduled to take place at 
KSC. With aircraft systems, line 
maintenance and overhaul or major 


modification functions are typically 
organizationally separated even when 
they are conducted at the same location. 
This has worked well with aircraft and is 
likely a good model for the Space 
Shuttle Program to follow. Simply, 
different types of planning, management 
skills, and experience are required by 
routine turnaround flow and the more 
major overhaul and modification 
operations. 

Ref: Finding #10 

The Space Shuttle system presently 
includes an autoland system that 
provides automated guidance capable of 
navigating the Orbiter to the selected 
landing runway. Automated approach 
guidance requires the availability of a 
well-calibrated microwave scanning 
beam landing system. Completion of a 
successful landing requires the crew to 
manually deploy the air data probes and 
landing gear by activating cockpit 
switches. This is similar to the situation 
with commercial aircraft. The crew also 
must be active in the post-touchdown 
rollout phase to ensure a safe transition 
to wheel stop because no automatic 
braking is provided. The present system 
is viewed by the Space Shuttle Program 
as an emergency backup to the 
commander and pilot, but there are no 
documented decision rules for its use or 
operational scenarios under which it is 
mandated. It has not been tested all 
the way to touchdown during an actual 
flight. However, a detailed test 
objective (DTO) is being developed by 
the Space Shuttle Program to provide 
for at least one full automatic landing. 

The increased duration of Space Shuttle 
flights as part of the Extended Duration 
Orbiter Program (EDO) has raised the 
issue of the need to qualify the existing 
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system during actual flights. It also 
raises the issue of the possible need to 
fully automate all landing, rollout, and 
braking functions so that the Orbiter 
could be returned safely from orbit 
without any crew intervention, if 
necessary. 

Before discussing the need for possible 
enhancements to the present capability, 
the status of the present subsystem must 
be reviewed. The existing subsystem is 
designed to provide guidance 
information to the Orbiter through all of 
the descent flight phases: 

• Entry guidance (500,000 feet to 
Mach 2.5) 

• Terminal Area Energy 
Management (TAEM) (Mach 2.5 
to 10,000 feet) 

• Approach and landing (10,000 
feet to touchdown). 

Although the crew must deploy the air 
data probes and landing gear, there is 
an automatic speed brake deployment 
and positioning that occurs independent 
of the guidance system. This is similar 
to the prevailing autoland systems in 
commercial airliners. 

The Space Shuttle system differs from 
those in airliners because it defaults to 
automatic mode when deorbit 
commences, and remains there unless 
the crew switches to the control stick 
steering (CSS) mode (manual flying). 
The switch to CSS can be accomplished 
through a pushbutton on the instrument 
panel or, on an axis-by-axis basis, by 
moving the control stick. This is known 
as "Hot Stick" downmoding to CSS. 


The TAEM phase is of particular 
interest because it determines the 
energy state and runway alignment of 
the vehicle at a time in the descent 
when correction for low or high energy 
states is possible. TAEM usually is 
flown manually by the crew, although 
guidance can adequately control the 
vehicle around the heading alignment 
cone and on to touchdown. When the 
crew flies manually, they tend to 
manage energy somewhat less 
aggressively than would the 
programming of the present automatic 
system. This increases crew comfort 
and reduces loads on the Orbiter. 
Effort presently is being devoted to 
examining a change in the guidance 
system to emulate more closely the 
trajectories actually flown by the crews. 

The existing automated approach 
guidance system never has been fully 
flight tested. The second Space Shuttle 
flight, STS-2, left the auto mode 
engaged until the latter part of the 
TAEM region and demonstrated that 
the system was capable of returning the 
vehicle to a flyable energy state from a 
low energy state. STS-3 left the system 
in auto until the commander’s scheduled 
takeover at 125 feet. The system was 
on energy and trajectory at takeover, 
but the pilot had difficulty getting "into 
the loop," and an uncomfortable 
situation developed. The final several 
thousand feet of a Shuttle’s descent 
involves relatively complex flare 
maneuvers with which a pilot might be 
expected to have difficulty when 
retaking command. 

A DTO for remaining totally in the 
automatic mode to touchdown was 
scheduled for STS-16 (41F). However, 
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when STS- 15 (4 ID) had an engine-out 
pad abort, flights were remanifested and 
the DTO was canceled and never 
rescheduled. As a result, although there 
have been numerous simulation runs, 
computer modeling, and post-flight 
analyses of guidance commands, there 
never has been a flight demonstration of 
the auto guidance capability all the way 
to touchdown. Therefore, the cognizant 
contractor would not certify the system 
because of the absence of a flight test. 

Rockwell is undertaking a reverification 
of automatic entry and autoland as part 
of their funding for the EDO missions. 
However, this does not mean that it has 
been determined that autoland will be 
needed for EDO or that a decision to 
use it has been made. Plans are being 
formulated for an autoland DTO to be 
executed within the next year. This will 
begin the process of in-flight verification 
of the system. Future analyses are 
planned to determine if additional flight 
tests will be required to develop an 
operationally certified system. 

The existing automatic approach 
guidance capability represents a 
sufficient foundation of hardware and 
software to support the contemplated 
DTO. Eventually, a fully certified 
system may require certain 
enhancements such as increased 
redundancy, decision rules for leaving 
the automatic mode engaged, and 
automated gear and air data probe 
deployment. 

There are four basic situations under 
which Space Shuttle flight safety would 
be enhanced by the use of some degree 
of automated landing assistance. These 
are: 


Crew unavailability. This is a 
situation in which the crew cannot 
perform their piloting functions 
adequately because of external 
conditions. For example, a 
situation of unavailability might 
occur if the windscreen of the 
Orbiter became completely 
obscured or the cockpit filled with 
smoke or fumes making it 
impossible for the crew to guide 
the craft visually. 

Obvious crew incapacitation. The 
crew may become physically or 
mentally incapacitated in a manner 
that allows them or ground 
controllers to detect the 
incapacitation. Such obvious 
incapacitation might range from 
total loss of consciousness to loss 
of visual accommodation or the 
ability to move. 

Subtle crew incapacitation. The 
crew may become physically or 
mentally incapable of flying the 
Orbiter in such a manner that both 
they and the ground controllers 
continue to believe that they, in 
fact, are in control. Subtle 
incapacitations have been 
experienced in many high stress 
environments. They typically 
involve phenomena in which the 
human sensory and/or cognitive 
mechanisms are misleading. 
Examples might involve impaired 
depth perception, spatial 
orientation, or eye-hand 
coordination. 

Capability Limitations. There are 
flight situations, particularly 
abort maneuvers, that stress crew 
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capabilities to the limits. This stress may 
be particularly acute if a landing is 
required into a relatively unfamiliar field. 

For situations involving capability 
limitations, computer assistance through 
an autoland system can augment or 
replace the human crew. This has the 
added benefit of permitting the crew to 
undertake other critical tasks besides 
the landing guidance and management 
of the Orbiter. The generally quicker 
response time of a computerized system 
as well as its ability to store and recall 
vast quantities of contingency 
information make a standby autoland 
system a valuable resource. 

In the event of crew unavailability or 
incapacitation, the crew may retain 
some limited functional capability. For 
example, they may be able to activate 
switches to deploy air data probes and 
landing gear. Under these 

circumstances, an automatic landing 
system that required minimal crew 
interventions, such as switch activations, 
likely would represent adequate support. 
Alternatively, the crew may be totally 
incapable of participating in the landing 
operation due to unconsciousness or the 
inability to move or function. In this 
case, a fully autonomous autoland 
capability would be required to ensure 
the safe return of the Space Shuttle. 
This system might need the capability of 
remote activation to account for 
situations in which the crew becomes 
totally incapacitated after downmoding 
to manual (CSS) steering. 

The situation of subtle incapacitation 
raises additional salient issues. If the 
crew is unaware that their performance 
is degraded, it is illogical to expect them 
to decide to execute an automated 
approach. This suggests the need for 


objectively defined operational rules for 
the use of automated guidance. For 
example, a rule might require the use of 
autoland for all missions exceeding a 
specified length (e.g., 10 days). The 
system also should include specific 
decision rules for engaging the 
automatic mode (or leaving it engaged) 
during flights not covered by the 
operational rules. It also would be 
beneficial to research possible crew 
performance measures that could be 
used during flight to assess the need for 
an automatic landing. Such measures 
could be examined during actual Space 
Shuttle landings by collecting data from 
secondary tasks performed by nonflying 
members of the crew. 

The reluctance of the crews to give up 
their manual landing opportunities as 
well as their concern about the 
"takeover" problems based on the STS-3 
experience is understandable. However, 
it would seem that a takeover at such a 
low altitude would be highly unusual 
and might not be sufficiently credible to 
include in the certification criteria. 

The basic flight controls and computers 
are in use and have been shown to be 
reliable during Space Shuttle missions. 
However, additional sensors and inputs 
may have to be employed for a full 
feature and safe "nonpilot participating" 
autolanding. This may call for a safety 
review of the extended system. 

With commercial airplanes, the overall 
safety level of the total system, airborne 
and ground, is checked carefully by a 
comprehensive failure mode and effect 
analysis (FMEA) to ensure that the 
whole system will meet a prescribed 
safety level. This analysis is conducted 
independent of any consideration of 
pilot intervention. A significant factor 
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of the FMEA in commercial aircraft 
probability analysis is the evaluation of 
fault-free performance. That is, out-of- 
tolerance performance not due to a 
detectable fault that could lead to an 
incident, possibly an accident, must be 
considered when arriving at the overall 
predicted safety level. 

In commercial aircraft, autopilots used 
for approach/landing are designed to 
have various redundancy levels 
depending upon their operational use. 
A fail passive or fail-benign system is 
used for operation down to 100 feet. If 
a fault occurs, the autopilot will 
automatically disconnect and warn the 
pilot, but not disturb the flight path. 
Airplanes conducting such landings in 
low visibility using fail passive systems 
generally are certified for use in 
approaches to low altitude (e.g., 100 feet 
or so). This is provided it can be shown 
that the pilot can take over and conduct 
a landing or go-around safely. If the 
automatic pilot is to be used down to 
touchdown without pilot intervention, 
such as a go-around or path correction, 
a fail operational system of some form 
is required and a very low probability of 
a failure that could lead to a loss of 
control must be established before the 
system can be certified. The probability 
of a safe go-around can mitigate this 
value somewhat. Obviously, this is not 
the case with the Space Shuttle. 

Without considering pilot intervention, 
the Space Shuttle system will need to 
land with an extremely high probability 
of being within prescribed parameters of 
touchdown vertical velocity limits, 
lateral and longitudinal dispersions, and 
any other limits peculiar to the 
Space Shuttle such as body angle. The 


confirmation of the possibility of a 
malfunction or fault-free performance 
outside limits would need to be shown 
to be extremely improbable. Therefore, 
a Space Shuttle autoland system would 
need to provide full fail-operational 
performance through touchdown and 
rollout. 

Another vital aspect of autoland 
certification is to ensure that the landing 
parameters, flare profile, decrab 
maneuver, transition to rollout, etc., 
conform to what a reasonable pilot 
would tolerate. In the early days of 
commercial autolanding, these profiles 
were determined by software engineers. 
Although they achieved the accuracies 
required, they were unnatural and 
unacceptable to the pilots, thus causing 
a potential and possibly dangerous pilot 
intervention to occur. 

Today, the flight profiles flown by 
commercial autoland systems have been 
refined to be so natural and consistent 
that most airline pilots say "the system 
does a better job than I do." If NASA 
embarks upon a program to develop 
natural landing maneuvers by the 
automatics that are pilot acceptable, it 
also will have the distinct advantage that 
pilots will be more likely to use the 
system, even when it is not mandated. 
Thus, this will provide valuable 
operational experience and data and, in 
the end, a higher safety level. 

On the assumption that operation solely 
by the human pilot as the prime safety 
element may not be viable under certain 
operational circumstances, a fully 
automatic landing system becomes 
essential to the safe completion of a 
Space Shuttle mission. 
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Ref: Findings #11 through #13 


During the year, NASA continued its 
independent review of the verification 
and validation process related to Space 
Shuttle software. This independent 
review has demonstrated its value by 
finding failure modes that previously 
were unknown. Increased involvement 
of the Office of Safety and Mission 
Quality with software safety also was a 
positive step. 

Software verification and validation can 
take several forms including: 

• Continual oversight and review of 
the process 

• Oversight and review of the 
generation of the tests used in 
the process 

• Complete verification and 
validation conducted by a totally 
independent organization. 

Costs and benefits of these approaches 
vary considerably. The cost of an 
ongoing, independent review of the 
verification and validation process and 
of the test generation is relatively small 
compared to the total cost of the 
process. The present ongoing, 
independent review has demonstrated 
the value of this activity and should be 
continued. Although an internal 
steering committee on embedded 
verification and validation has been 
formed, it was not until the independent 
contractor became involved that a 
"roadmap" of the process and generation 
of the tests used was established. The 
internal steering committee has not 
succeeded in carrying out the necessary 
functions on its own. 


Now that a complete roadmap for the 
verification and validation process is 
available, the Panel believes that the 
independent contractor should review 
the process, end to end, and look for 
ways to simplify it. At present, it 
involves a great number of machines 
and people. In addition, the 
independent contractor should 
investigate the process by which the 
tests for the verification and validation 
process are generated. It is essential 
that the independent contractor utilize 
personnel intimately familiar with 
NASAs software processes. An 
independent contractor not utilizing 
such personnel would have great 
difficulty in adequately carrying out this 
function. 

Independent performance of the tests, 
however, is another matter. Costs 
associated with the verification and 
validation process are very high. One 
unofficial estimate puts the cost as high 
as $500,000 for the physical apparatus 
alone. Further, the process can only be 
reliably performed by personnel 
intimately familiar with the software 
production process. Therefore, great 
care must be taken in any proposed 
decision to independently perform the 
verification and validation function. 
There must be both an acceptance of 
the substantial costs involved and a plan 
to acquire the experienced personnel 
necessary to carry out the work. ASAP 
believes that these two factors mitigate 
against the third listed alternative, 
independent performance of the 
verification and validation tests. Simply, 
the potential gain does not justify the 
cost. 
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The new general purpose computer 
(GPC) hardware seems to be performing 
well. The single event upsets (SEUs) 
were no more numerous than expected. 
Indeed, accuracy of the predictions 
based upon NASAs model of SEUs was 
impressive. A cursory analysis concurs 
with NASAs estimate that the 
probability of an SEU-induced failure is 
negligibly small. 

There is still a potential problem arising 
from the eventual saturation of usable 
memory on the new GPC. While the 
time horizon of the "new" GPC has been 
extended somewhat by moving some 
requested upgrades into procedures and 
slowing the software change process, the 
conclusion is the same. Long before the 
end of its planned lifetime, the "new" 
GPC will be saturated and a further 
change will be necessary. It is still the 
case that any foreseen possibility of 
further upgrade will require massive 
reverification and revalidation. With 
the extension of the time at which this 
impasse will occur, NASA has the time, 
if it acts promptly, to plan carefully for 
this next change and complete it at 
minimum cost and turmoil. A small 
planning effort on the next generation 
computer upgrade should be started as 
soon as possible. This study should not 
be constrained to living with the current 
architecture, and should involve others 
in NASA who have been studying long- 
term computer evolution for space 
applications. 

The movement of some requests for 
software upgrades to crew procedures is 
a matter of serious concern. The crew 
already has a very large number of 
procedures with which to be familiar. 
Adding to that load, particularly with 
items that could be handled easily with 
greater reliability and safety by software, 


does not seem wise. Procedures such as 
"do not touch the keyboard for X 
seconds after the occurrence of event Y" 
can be handled easily by software. If 
such procedures are contingencies that 
are employed infrequently, the chance 
of error when they are needed rises. 

A review of all computer-related 
procedures to ascertain whether or not 
there is significant potential for design- 
induced human errors should be 
mounted. This review should include 
crew representatives, experts on human 
factors, and members of the Safety and 
Mission Quality organization. 

SPACE . ■ SHUTTLE MAIN ENGINES 
(SSME) 

Ref: Findings #14 through #17 

The in-flight performance of the Space 
Shuttle Main Engines (SSMEs) has been 
very consistent and without significant 
anomalies since the return-to-flight after 
Challenger. There are now sufficient 
engines at KSC to provide four shipsets 
for the Orbiters plus three spare 
engines. The practice of removing all 
three engines from the Orbiter after 
each flight and conducting the post- and 
pre-flight tests in the "engine room" has 
proved beneficial and effective. Except 
for the high-pressure turbopumps, the 
major components of the engines have 
demonstrated service lifetimes in excess 
of the specified 55 equivalent Space 
Shuttle flights. 

The Phase II component improvement 
program designed to enhance the safety 
and/or reliability of the current engine 
components has continued to make 
progress. The status of the changes to 
the major components is: 
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High-Pressure Fuel Turbopump 
(HPFTP) : All changes to this 

turbopump have completed the 
certification requirements; flight 
units are being built. The machine 
has demonstrated the requisite 
10,000 second run time (20 flights) 
and was to have been authorized a 
service life of a "green run" on the 
test stand plus nine flights (half 
certification life). The failure of a 
high-time HPFTP turbine blade in 
test engine 0215, most probably 
the result of a blade material flaw, 
has resulted in a reduced "certified 
operating time" of 7,000 seconds 
(14 flights). This is the equivalent 
of a service life of a "green run" 
plus six flights. A new Computer 
Tomography blade material 
inspection technique has been 
implemented, which will allow the 
restoration of the 10,000 seconds 
certification. Pumps with such 
blades are being assembled, and 
flight use is estimated for the 
middle of 1992. 

High-Pressure Oxygen Turbopump 
fHPOTP) : As noted in last year’s 
report, the SSME project decided 
to abandon its attempt to certify 
the HPOTP for 10,000 seconds of 
service life and instead opted to 
certify the turbopump so that the 
pump-end bearings can be used for 
three flights and the turbine-end 
bearings used for six flights before 
replacement. To accomplish this, 
changes to the inducer/inlet, 
bearing cage coating, ion 
implantation of the bearing balls, 
and a material change to the jet 
ring to increase its fatigue-life 
were incorporated and certified. 
Improved on-engine inspection 
tools for the turbine-end bearing 


have been developed and are in 
service. In-flight strain-gage 
measurements of the vibration 
signature of the pump-end bearings 
to detect early signs of bearing 
wear are also a part of this 
configuration. Experience to date 
with these measurements has been 
satisfactory. A number of 
HPOTPs have been flown three 
times. 

Single-tube Heat Exchang er: The 
fabrication process for producing 
the 41-foot long single tube for the 
heat exchanger has been developed 
and 10 tubes have been completed. 
Two tubes have been coiled, and 
mockups and test specimens are 
being built. This represents a 
major hurdle in this program. 
One coil is in the process of being 
welded into a powerhead and is to 
be tested in mid-1992. 
Certification is scheduled for 
completion in FY 1993. 

Phase 11+ Powerhead : The Phase 
11+ Powerhead (also known as the 
two-duct powerhead) was tested 
last year. As noted in last year’s 
report, both injector erosion and 
chamber wall blanching were 
experienced. On the positive side, 
lateral pressure gradients and 
velocity profile nonuniformities 
were reduced substantially. Since 
then, the flow shields on the 
injector posts were modified, and 
tests on a second powerhead were 
conducted. Injector erosion was 
eliminated, but main combustion 
chamber (MCC) blanching and 
wall damage still were experienced. 
This has been attributed to a high 
flow resistance coolant circuit in 
the specific chamber used. Two 
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units have been built to continue 
development; one with the current 
design combustion chamber and 
one with the large throat 
combustion chamber. Tests have 
been conducted with the large 
throat main combustion chamber 
(LTMCC) unit with very 
satisfactory results (the absence of 
blanching in these tests is the 
result of improved cooling design 
in the chamber). 

As noted in last year’s report, the 
LTMCC was tested on engine 0208. In 
some 3,700 seconds of testing, including 
26 starts, the predicted benefits were 
verified. In addition to reductions in 
the chamber pressure, turbine 
temperatures, and speeds, the hot gas 
wall temperature in the chamber was 
reduced about 100 F. This will have a 
significant effect on the rate of 
combustion chamber blanching and 
cracking. Analysis indicates that using 
the LTMCC would increase the margin- 
of-safety of selected engine components 
by 12 to 30 percent. The testing noted 
above with the Phase 11+ Powerhead 
has increased the accumulated run time 
of the LTMCC to 5,000 seconds. 
Unfortunately, the LTMCC development 
was tied to the Advanced Fabrication 
Project whose results were to be 
incorporated no earlier than mid-1997. 
Were this not the case, the benefits of 
the LTMCC could have been realized 
much sooner, as the LTMCC does not 
depend on improved fabrication 
processes to achieve increased margins. 
Because of NASA budget constraints, 
funding for both of these efforts was 
eliminated for FY 1992. To the 
detriment of the program, all activity on 
these efforts will come to a halt before 
mid-1992. 


The design verification system (DVS) 
testing (both laboratory and rig tests) of 
the components of the Pratt and 
Whitney (P&W) Alternate Turbopump 
Program (ATP) is substantially complete 
including demonstrations of component 
life. Some data still are being analyzed, 
but results to date look good. 
Significantly, the bearing materials and 
coatings have been selected and proven. 
An acoustic emission probe installed for 
the bearing rig tests shows promise of 
serving as an in-flight health monitoring 
instrument. Spin tests of shafts, disks, 
and impellers have verified the burst 
margins of these parts. Note that these 
test specimens were heavily strain-gaged 
so that data could be obtained to verify 
the structural analysis models of these 
critical components. A few DVS tests 
await the build of final configurations. 

• HPFTP : Testing of the HPFTP 

on the P&W E-8 test stand and of 
unit 4 on an engine at Stennis 
Space Center (SSC) revealed a 
number of problems with the 
design. Among them were thermal 
cracks in the first turbine vane 
inner shroud, tip seal displacement 
on the third pump impeller, main 
pump discharge housing vane 
cracking, and turbine inlet housing 
strut and slot cracking. Fixes for 
these have been devised and are in 
work. Some have been 

incorporated into unit 5, which has 
been run at SSC for reasonably 
long times at 100-percent rated 
power level (RPL) and has 
reached 109-percent for a brief 
time. The plan is to have all fixes 
incorporated by unit 7. 

• HPOTP : This turbopump 

encountered more difficulties than 
its fuel counterpart during 
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development testing. Among them 
is a synchronous vibration problem 
at high power levels when pumping 
L0 2 . Many changes to the 
mechanical design and assembly 
details have been incorporated in 
an attempt to solve the 
rotordynamic problem. This 
includes increasing the tiebolt load, 
the pump-end ball bearing 
deadband, and the damper seal 
diameter. So far, the changes that 
have been incorporated have 
performed well during the E-8 test 
of unit 05-1, which ran to 104- 
percent RPL with acceptable 
vibration characteristics. This unit 
has been cleared for 100-percent 
RPL operation on an engine. 
Heavily instrumented unit 4-ID 
was used to verify some additional 
improvements. It ran satisfactorily 
to 111-percent RPL with LO z on 
E-8. Unfortunately, unit 6 (which 
incorporated a de-swirler, in 
addition to other changes) 
exhibited rotordynamic instability 
at 109-percent RPL. It is believed 
that the cause of this phenomenon 
has been identified. Follow-on 
units will include additional 
changes to attempt to eliminate 
this cause. 

Integrated Tests : The tests of the 
HPFTP on an engine with the 
current HPOTP have shown that 
the transient characteristics of this 
machine generally are compatible 
with the rest of the engine system 
during start and shutdown. There 
are differences, of course, because 
of different moment of inertia and 
breakaway torque of the new 
machine. As a result, some valve 
sequencing had to be modified to 
reduce the fuel preburner ignition 


temperature spike. Some 
additional tuning will undoubtedly 
be required. Performance of the 
HPFTP, as measured on the 
engine, agrees well with the data 
obtained in the E-8 tests. Testing 
of both the P&W HPFTP and 
HPOTP on an engine is scheduled. 

In summary, as in most turbopump 
development programs, the problems 
encountered in the ATP lie in the 
(subtle) mechanical details of the 
design. Problem causes include details 
such as clearances, seals, venting of 
volumes enclosed by cover plates, effects 
of damping seals and bearing preloads 
on rotordynamics, and effects of thermal 
transients during startup. The ability to 
determine the causes of the problems 
encountered has been enhanced greatly 
by the use of component test rigs and, 
perhaps more importantly, availability of 
the E-8 turbopump test stand. Coupled 
with good and extensive instrumentation 
of the development units, these facilities 
allow rapid identification of problems 
and permit rational corrective action. 

Operation of the E-8 stand has 
improved much since last year. It is 
reported that two out of three test 
attempts now lead to successful runs - 
excellent performance for so complex a 
facility. 

Engine-level tests have revealed some 
system issues but, so far, nothing of 
major consequence. Schedules are still 
optimistic. Significant progress has been 
achieved since last year. Engine tests 
with both turbopumps installed will be a 
major milestone in the near future. 

In a recent decision resulting from 
budgetary problems, NASA has decided 
to cancel work on the P&W HPFTP and 
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to continue only the development of the 
P&W HPOTP. The plan is to use this 
new HPOTP in conjunction with the 
current HPFTP. While such an engine 
configuration is feasible, it will not 
achieve the operating margin increases 
sought for the engine system. NASA 
has made provisions in its planning to 
review the status of the P&W HPOTP 
development in 1994 and reconsider the 
cessation of HPFTP development at that 
time. 

ADDITIONAL ORBITER 
COMPONENTS 

APU Turbine Wheel Blade Cracks: 
Blade root and tip cracks have existed 
since the start of the program. The 
turbine wheel speed is 72,000 rpm, with 
a high speed of 81,000 rpm. A design 
revision was initiated in December 1987; 
it produced 15 wheels that have 
accumulated 210 hours with no cracks. 
By the time this report is published, all 
APUs will have been equipped with the 
new turbine wheels. The new design 
wheels are certified for 20 hours with a 
75-hour certification test to be 
completed in the first quarter of 1992. 

APU Gas Generator Valve Module Seat: 
The shutoff outlet seat has evidenced 
cracks. The investigation of the launch 
scrub of STS-31 showed that the seat 
was broken and a piece missing. The 
consequences could be a reduced APU 
output or possibly a shutdown. As a 
result, a liquid leak check of the valve 
prior to flight is required as well as a 
valve replacement every 18 months. 

Orbiter Drag Chute: The plan is to use 
the chute on every landing because it 
enhances directional stability. Structural 
requirements were validated by analysis. 
The drag chute system was tested 


successfully at the component and 
system level. There still are a few tests 
remaining. All nominal condition tests 
with the B-52 have been completed. 
Tests to expand the envelope still have 
to be conducted. 

SOLID ROCKET MOTORS 

Ref: Findings #18 through #21 

Work performed on the Advanced Solid 
Rocket Motor (ASRM) to date generally 
has been well-conceived and of high 
quality. The schedule does not have 
much contingency time. Although 
techniques can be made to work 
adequately, it might take considerably 
longer than planned because there is a 
lot to integrate. 

There are concerns about scale-up of 
the pilot propellant mix and casting 
facility. Many parameters and processes 
have not been fully determined. 
However, Aerojet has produced a 
substantial amount of similar solid 
propellant using continuous production 
processes so the basic techniques are 
familiar. The continuous solid 
propellant production facilities involve a 
variety of mixing and transport facilities. 
Safety concerns arising from propellant 
remaining in the transfer lines have 
been addressed. The propellant 
requires a period of 40 to 50 hours to 
gel, and can be expelled from the 
transfer lines for a significant time after 
it enters. Hazard analyses revealed no 
credible hazard that could prevent 
evacuating the lines for as long as 15 
hours. The propellant is normally in the 
transfer tube for only about 30 minutes. 

Safety devices are installed on the 
propellant flow line to limit the spread 
of fire in case of an accident. The flow 
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line transporting the uncured propellant 
has several fire breaks to prevent 
propagation of a fire along the tube. 
The basic safety device is an explosive- 
fired guillotine valve that interrupts the 
flow, with a water spray on the 
propellant to lower the temperature 
below the ignition point. In addition, 
there is a collar in the flow line 
upstream of the guillotine and on the 
casting pit side of a fire wall that can be 
blown to allow the propellant to flow 
out on the floor and prevent pressure 
buildup. A matter that must be 
considered is cleanup after an accident 
involving a dump of uncured propellant 
on the floor. The continuous mix pilot 
plant at Aerojet provides a way of 
proving a new propellant and upgrading 
the equipment before establishing a full- 
scale facility at Yellow Creek. The 
major differences between the pilot 
plant and the full-scale facility are 
equipment size and process control 
software. The pilot plant production 
rate is 1,000 to 1,400 pounds/hour with 
the full-scale facility producing 20,000 to 
26,000 pounds/hour. The ultimate 
particle size of the propellant is 
dependent on parameters such as 
geometry of piping, length of lines, and 
fluid working pressures that may not be 
directly scaleable. There are many 
challenges such as metering of 
propellant solids, pre-mix of iron oxide 
and aluminum, and real-time process 
control. Upscaling the rotofeed 
deaerator and pump equipment probably 
presents the greatest challenge. 

The propellant manufacturing process 
includes several methods to ensure the 
quality of the product. There is a 30- 
minute delay loop in the propellant lines 
that permits extracting and analyzing a 
sample before the material reaches the 
casting pit. In addition, small test 


articles are cast with each batch. 
Propellant samples are tested after 
casting to ensure burning properties are 
to specification. 

A new method for assessing propellant 
quality is under development. This 
Fourier Transform Infrared/Factor 
Analysis (FTIR/FA) produces 
"fingerprints" of the propellant being 
produced. If the development proves 
successful, it could be used on-line to 
eliminate most of the laboratory testing 
during production. 

Obviously, successful development of the 
insulation strip winding process will be 
a marked improvement in cost and time 
to the present hand lay-up method used 
in the Redesigned Solid Rocket Motor 
(RSRM) installation. The extruder 
equipment that produces the insulation 
material in the process development is 
identical to that specified for the Yellow 
Creek facility. Initial tests of the 
stripwinding were conducted on bare 
metal that had been neither cleaned nor 
treated with adhesive. These tests were 
successful in that the insulation did stick 
to the inside of the casing. 

It is necessary to develop a data base 
for strip winding before producing the 
48-inch insulation test articles. A 48- 
inch long section of a 150-inch diameter 
case will be developed for the field joint 
test article. However, the boom travel 
will have to reach 400 inches for the 
full-scale motor. Finally, the entire 
process will be verified in the 
development and qualification motor 
tests. 

The case will be turned on end for the 
liner spraying operation. A robot arm 
will traverse a vertical beam and spray 
the liner on top of the white insulation. 
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Much of the work to date has been 
directed toward determining the proper 
chemical composition of the liner. 
Current plans include a visual inspection 
of the liner after spraying facilitated by 
the addition of black pigment to the 
spray. 

The HP9-4-30 steel for the case was 
selected to be forgeable, machineable, 
and resistant to stress corrosion cracking 
and to general corrosion with proper 
coating. The steel case will be 
inspected using magnetic particle 
inspection along with alternative non- 
destructive inspection (NDI) methods. 
The consistency of the case properties is 
dependent on proper process control 
and development testing. A thorough 
program of testing to characterize this 
material is needed to support the 
finalization of the case design and 
manufacturing plans. This must include 
development and characterization of the 
manufacturing processes such as plasma 
arc welding and weld repair procedures 
for the large diameter steel casing. 

A key item in the propellant mixing and 
casting program is the development of 
the software for the overall process 
control. Although contracts for 
development of the software are 
underway, little attention has been paid 
to the design of the user interface. It 
would appear that the system design 
would benefit from a more complete 
analysis of the interface and the 
participation of an expert in human- 
computer interfaces. As a basis for 
making decisions, a complete task and 
functional analysis should be performed. 

Ref: Finding #22 

NASA is committed to using the current 
aft skirt configuration on all RSRMs 


and ASRMs. Data received by the 
Panel justifies the NASA decision. This 
data consists of maximum strains 
recorded at all eight hold-down posts 
during 18 firings of the Space Shuttle (1 
flight readiness firing and 17 actual 
launches). 

Using the data received and a tensile 
strain of 5,143 micro-inches as the strain 
measured at 100-percent Design Limit 
Load (DLL) on the static test specimen, 
the confidence level in the estimated 
probability that certain load levels will 
or will not be exceeded can be 
calculated: 

♦ The probability that DLL will be 
exceeded is 5 percent, with a 
confidence level of 95 percent. 

• The probability that 1.28 x DLL 
will not be exceeded is 99.9 
percent, with a confidence level 
of 99 percent. 

Although there is a fair likelihood that 
the DLL will be exceeded, it is quite 
unlikely that a failing load will be 
experienced. In the above prediction, 
static test failure strength was not 
corrected to account for variability of 
weld strength. This variable deserves 
more consideration. It could be argued 
that in the large volume of weld 
material exposed to maximum stresses in 
the test article, there existed at least 
one of the maximum flaws that could 
escape NDI detection. Therefore, 
failures were initiated at near A-type 
strength values. The fact that two test 
articles failed at nearly identical values 
of load lends some credence to this 
argument. 

Calculated ASRM lift-off loads are 
within aft skirt certification limits. The 
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stiffer field joint design of the ASRM 
versus the pinned joints of the RSRM 
yields the same factor of safety of 1.28. 
ASRM flight loads are favorably 
affected by both the larger diameter of 
the ASRM case and integrated 
electronics assembly box relocation. 

While a factor of safety of 1.28 is 
considered adequate, radial biasing on 
the spherical bearings on the holddown 
posts is required to achieve it. In 
addition, there is a study underway to 
improve the strength of the skirt by 
adding an external bracket or groove in 
the skin. Due to the planned use of this 
skirt on the ASRM, the exceptionally 
low factor of safety at the skirt weld, 
and lack of a good understanding of the 
failure mechanism, NASA!s safety 
organization should continue to monitor 
strain data from each launch to develop 
an adequate profile. This will establish 
a truly credible data base for the 
statistical justification of the low factor 
of safety. 

Ref: Finding #23 

It is important to review logistics 
planning activities early in a program 
such as the ASRM. Approximately 10 
people currently are working on ASRM 
logistics representing all major 
contractors and NASA groups. Plans 
include maintenance, supply and 
support, transportation, and training. A 
line replaceable unit (LRU) list has 
been prepared for flight hardware, and 
a number of pieces of ground support 
equipment (GSE) have been identified. 
Training manual and related document 
needs have been identified, and 
transportation barge operations are 
evolving. A good start on the ASRM 
logistics has been made. 


LAUNCH AND LANDING 

Ref: Finding #24 

During the past year, several Space 
Shuttle landings either experienced 
problems or off-nominal performance. 
Due to the planned increases in landings 
at KSC rather than Edwards Air Force 
Base (EAFB), with its relatively large 
margins for landing error, it is important 
to understand the reasons behind any 
landing problems and develop ways to 
prevent their recurrence. 

The STS-37 landing was extremely short 
and slow. There were many reasons for 
the extremely low energy state of 
STS-37 including: 

• The crew had never landed on 
runway 33 at EAFB and had not 
trained for its approach because it 
encroaches on Los Angeles 
International Airport airspace. 
EAFB runway 33 approach is not 
included in the simulators. 

• The crew were not given the most 
precise wind-shear information 
because: 

Ground controllers were in 
a high workload situation 
that was caused by carrying 
landing solutions for both 
KSC and EAFB. 

Information from the 
Shuttle Training Aircraft 
(STA) was not passed along 
adequately; there is no 
direct communication 
between the STA pilot and 
the Space Shuttle crew. 
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• The crew’s belief, which was 
reinforced by their training, was 
that they could make up their 
energy deficit during the post- 
heading alignment cone portions 
of TAEM or as part of approach 
and landing. 

STS-39 experienced some tread loss on 
the right main gear and some nose wheel 
abrasion. This has been attributed to a 
faster than normal landing and drift near 
touchdown. The right gear crossed the 
crown in the KSC runway twice at high 
speed, which contributed to the tire 
wear. The safe limit of the tire (6 plies) 
was not reached as only three plies were 
damaged. 

There were many lessons learned from 
analyzing the STS-37 and STS-39 landing 
anomalies. Some already have resulted 
in changes in procedures and training. 
Overall, a heightened awareness of 
possible landing problems seems to have 
emerged. A continued focus on 
communications and decision-making 
during landing as well as the process of 
energy management would seem to be 
warranted. 

Ref: Findings #25 through #30 

The task team concept that has been 
implemented at KSC is an approach to 
involving hands-on leadership at the task 
level. One of its benefits is that it keeps 
jobs moving without sacrificing quality, 
control, or safety. It also brings together 
all personnel needed to perform a 
particular job in conjunction with an 
identified leader and places 
responsibility at an operationally realistic 
level. Specific training on operating 
within a task team environment has been 
developed and used by the Shuttle 
Processing Contractor (SPC). Task team 


leaders are selected from the ranks of 
engineers and technicians as appropriate. 

The task team leader concept has not yet 
been widely introduced formally into 
Vehicle Assembly Building operations. 
However, the operations concerned with 
solid rocket booster (SRB) stacking and 
external tank (ET) attachment have 
developed many similar characteristics. 
These include a stable workforce that 
has developed a team approach, 
authority to accept verbal deviations with 
subsequent documentation, and direct 
engineering support and involvement. 

In addition to the introduction of task 
teams, a joint NASA/SPC Steering 
Committee has been established to 
oversee and improve launch processing. 
The Steering Committee developed its 
"Top Ten" agenda from 250 potential 
improvements that could be undertaken. 
As improvements are completed, new 
targets are to be added to the active list. 
The general revision of all Standard 
Practice Instructions (SPIs), underway 
for the past 6 months, has been a major 
source of recommended changes that the 
Steering Committee has pursued. The 
workforce has been directly involved in 
these revisions. The objective has been 
to achieve simplification of SPIs and 
streamlining of the processes. 

Other targets of Steering Committee 
activity include signature reduction, 
reduction of witness inspections in favor 
of greater surveillance and verification, 
and avoiding steps that do not add value. 
Additionally, the concept of a designated 
verifier (where a certified technician 
hand stamps his/her work such as in 
airline maintenance/inspection) is being 
presented to Level I management for 
acceptance. A shop data collection 
system is now in place to identify the 
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sources of delays in Space Shuttle 
processing. This system, originally 
planned for inclusion in the Shuttle 
Processing Data Management System II 
(SPDMS II), was developed as a stand- 
alone because of delays in SPDMS II 
development and implementation. It 
will be important to ensure that this 
subsystem as well as others like it that 
have sprung up to fill specific needs are 
adequately accounted for in the final 
SPDMS II design. This can best be 
accomplished by ensuring involvement of 
system users in the SPDMS II design and 
implementation process. 

LQGI$TICS ANO SUPPORT 

Ref: Findings #31 through #38 

Although some problems persist, the 
Space Shuttle support programs are 
generally in very satisfactory condition. 

The Integrated Logistics Panel (ILP) is 
an essential component of the overall 
logistics and support activities for the 
Space Shuttle. In 1991, there were three 
ILP meetings. At these meetings, 
presentations were made on subjects 
germane to the activities of the meeting 
host site. The wide-ranging issues that 
were covered in detail included trend 
management reporting; development of 
computer tracking systems; control, use, 
stocking, and disposal of hazardous 
waste; and interface problems among 
Centers and contractors. The meetings 
provide for good working-level 
integration and interchange on all 
aspects of the Space Shuttle logistics 
programs. 

The Logistics Management 
Responsibility Transfer (LMRT) 
function was initiated to coordinate the 
transfer of management skills, 


equipment, and funding to the KSC 
vicinity to the maximum extent practical 
for greater overall launch efficiency. 
LMRT involves transfer of both NASA 
and contractor resources. It appears that 
the present atmosphere surrounding 
LMRT within the NASA Centers is one 
of cautious retrenchment, thus slowing 
the transfer of resources. For example, 
the memorandums of agreement 
(MOAs) for transfer of SRB, RSRM, 
and SSME flight and GSE hardware are 
all being reevaluated. Other activities, 
such as thermal protection system, are 
proceeding as planned. Other issues, 
such as the Fleet Leader Program to 
determine the best supportability and 
repair strategies for the orbital 
maneuvering system and reaction control 
system hardware, are being reviewed for 
transfer to KSC. 

This year’s work at the NASA Shuttle 
Logistics Depot (NSLD) concentrated 
upon meeting the goals for the number 
of certifications contemplated and on 
achieving much faster turnaround for 
component repair and overhaul. 
However, statistics on the number of 
certifications completed can be very 
misleading because some can be 
completed in 18 months whereas others, 
like the multiplexer/demultiplexer 
(MDM), may take as long as 2 \ years to 
perfect using the advanced Automatic 
Test Equipment (ATE) installed at 
Cocoa Beach. The schedule calls for the 
acceptance of six MDM units in 1992 
and seven other MDMs in 1993. 
Although the effort is expensive and 
time-consuming, there is good reason to 
believe that eventually an almost routine 
checkout can be achieved using the 
ATE. 

On the matter of reducing component 
turnaround time for the combined NSLD 
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and original equipment manufacturer 
activity, the latter months of 1991 have 
shown some illuminating data (Figure 5). 
The overall workload for repair at the 
NSLD is now increasing to the point that 
the backlog is becoming significant. An 
example of the savings in component 
repair turn-around time (RTAT) for the 
rate gyro assembly refurbishment on the 
SRB shows an average of 105 days 
versus 160 for the OEM and a cost of 
$7,936 versus $31,000. While not all of 
the components being repaired or 
refurbished by the NSLD have shown 
such spectacular gains, the important 
issue is that they are now under the 
control of NASA so that appropriate 
priorities may be assigned to meet 
launch supply needs. 

Figure 6 shows the history of 
cannibalizations for recent flights. The 
controls over the problem have been 
noted in previous ASAP reports. 
Whereas about five cannibalizations per 
vehicle were reported after STS-26, the 
average number is now down to two. A 
few repeat items still are involved. For 
example, TACAN equipment and cables 
still were being swapped from OV-102 
and OV-105 for OV-103 on its recent 
launch (STS-48). During the last 10 
flights with three vehicles in the 
processing flow, there have only been 
nine vehicle repairable items, three 
government furnished equipment items, 
and eight secondary structural items 
provided by cannibalization. Overall, 
this is satisfactory performance for a 
limited fleet of complex vehicles. 

Component RTAT performance is 
improving with an overall average RTAT 
through the NSLD of 45 days against 
a previous 180 days for OEM-handled 


components. The NSLD management 
appears to be working hard to further 
improve this encouraging performance. 
One of the problems is that of 
"streamlining" the paperwork. A typical 
instance showed a particular part being 
"logged in" no less than 17 times before 
reaching the workbench for actual 
hands-on repair work. Figure 7 shows 
the reparable line replaceable unit 
(LRU) fill rate up to STS-42. This 
parameter is judged to be highly 
satisfactory at the present time. The 
overall average fill rate of 92 percent is 
probably due mostly to improvements in 
repair cycles. 

Finding #37 discusses the "zero balance" 
(or "none in stock") and those items for 
which the stock is below the established 
minimum safe levels. The chart shown 
in Figure 8 indicates a recent sharp rise 
probably due mostly to the introduction 
of OV-105. This problem has the 
attention of logistics management 
personnel. 

The problem of out-of-production spares, 
or in NASA terminology "Pending loss of 
repair/spare capability," can only 
continue to worsen. In the majority of 
cases, the principal solution must lie in 
the extension of NSLD capabilities. 
Obviously, some components will defy 
the repair capability of even a well- 
funded NSLD. With total wear-out of 
these parts, the only recourse is to 
institute some redesign and modification 
action to keep the systems working. 
Lists of critical vendors and their 
components are being drawn up. 
Although this situation is receiving 
energetic middle management attention, 
further help may be required from the 
higher echelons. 
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The general situation of availability of 
spare SSMEs (which are supported 
directly by Rocketdyne out of their 
Canoga Park facilities) is satisfactory at 
the present time. The history of 
cannibalization within the SSME engine 
shop is shown in Figure 9; the spares 
requested versus those filled shows a 
very satisfactory performance. Use of 
expensive commercial air cargo or other 
airline charter flights for turbopumps 
virtually has been eliminated by the 
introduction of new shipping containers. 
Current issues including hydraulic 
actuators, bolt and seal surveillance due 
to stretched bolts, and nozzle insulation 
kits, are being handled in routine 
fashion. 

All logistics measurement parameters for 
the RSRM such as cannibalization, fill 
rates, zero/below minimum balance, 
RTAT, and pending loss of spare or 
repair capability were in the desired 
range. In addition, Thiokol has full 
support capabilities at its Brigham, Utah 
facility. There has been no 
cannibalization on the RSRM. All 
repairs of LRUs are done on a "real- 
time" replacement basis in the Thiokol 
Wasatch facility. Overall, inventory 
control accuracy presently is running at 
95 percent with a target of 100 percent. 
This is a very impressive performance. 

United Space Booster, Inc., (USBI) 
handles the SRBs at KSC and in their 
support facilities nearby. They report no 
cannibalizations. Fill rate and zero / 
below minimum balance issues do not 
arise because production assets are used. 
USBI can repair all on-site items except 
the lube oil accumulator; an agreement 
is being made with an alternative vendor 
for this item. Only six components have 
been selected for off-site repair; there 
are no concerns about support by these 


OEMs. RTAT for some elements of the 
thrust vector control system are lengthy. 
The paperwork is said to be taking 
longer than repair of the hardware. 
USBI is developing their own simple test 
set for checkout of some of the electrical 
and instrumentation components to 
eliminate some of the comprehensive 
test routines now being accomplished. 
Off-site repair and recertification is used 
in the cases of the hydraulic pumps, 
servo-actuators, and APUs. 

A large number of logistics-related 
annual audits are now being conducted 
by various agencies such as NASA, the 
Air Force, and the Department of 
Defense (DoD). Transfer of selected 
elements of GSE and commercial 
consumables is being made from MSFC/ 
USBI to KSC Lockheed Space 
Operations Co., under the aegis of the 
LMRT program. An in-production 
control system (IPCS) is employed by 
USBI to support the Space Shuttle by 
minimizing the inventory investment. 
The IPCS is based on a predetermined 
flight rate rather than an "initial lay-in" 
of spares. Considerable economic and 
control advantages are derived from the 
IPCS. A state-of-the-art integrated 
electronics assembly (IEA) test set is 
being developed at the USBI Slidell 
facility to perform intermediate and 
depot-level maintenance. The test 
procedures are being simplified in the 
light of experience. The general 
assessment is that the USBI/SRB 
logistics and maintenance work is 
evolving well and is being managed 
competently. The only concerns appear 
to be storage capacity and the status of 
some parts suppliers. A new facility is to 
be built and will be available in 1994. 

ET production and supportability trends 
appear to be on a steady track with all 
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parameters in the desired range. Fill LMRT activities for the ET are 

rate, zero balance, and below minimum proceeding and the transfer MOA has 

stock are under control. Some pending been approved. Single-source vendor 

issues of repair/spare capability are activities on four items are being 

being worked out. There have been no pursued. An ET GSE plan to recertify 

cannibalizations and LRU replacements every 10 years by analysis, repair, and 

are declining. RTAT issues present no replacement, currently is being reviewed, 

problems for the ET because items are ET logistics have initiated state-of-the- 

replaced within 24 to 28 hours from art procedures through several dedicated 

production assets. Overall, performance teams including a lively Total Quality 

is very satisfactory. Management (TQM) approach. 
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Figure 6. Orbiter Cannibalizations 
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Figure 7. Orbiter Reparable LRU Fill Rate by Replacement Source 
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Figure 9. History of Cannibalization within the SSME Engine Shop 


C. AERONAUTICS 


Ref: Finding #39 

On August 12, 1991, NASA Management 
Instruction (NMI) 7900.2 on aircraft 
operations management was signed. 
This NMI deals with critical functions 
needed to ensure safe administrative 
aircraft operations. It is understood that 
a companion delineation of aviation 
safety requirements in the basic safety 
manual is contemplated to complete the 
establishment of a proper aviation safety 
management organization and 
Agencywide statement of the philosophy 
of aviation safety. A Headquarters 
organization to coordinate flight policies 
throughout NASA is needed to obtain 
the maximum operational and safety 
value from these various policy 
statements. 

Ref: Finding #40 

In the current year, the ASAP only 
examined the aeronautical flight 
research programs at the Dryden Flight 
Research Facility (DFRF). Significant 
effort also is ongoing at the Langley and 
Ames Research Centers; the Panel has 
reviewed these in past years. 

DFRF has established an impressive 
array of test vehicles, which include the 
X-29s, F-16XLs, SR-71s, F-18, F-15, 
F-104G, B-52B, T-38, and PA-30. The 
B-52G is programmed to replace the 
B-52B. The aircraft are a national asset, 
and should be maintained and 
programmed for flight research tests at a 
high utilization level. 

The F-18 High-Angle-of-Attack 
Research Vehicle (HARV) program 
includes a massive thrust vectoring 


apparatus mounted on the tail section 
that (with ballast) weighs approximately 
2120 pounds. It reduces the maximum 
Mach number of the F-18 from 2+ to 
1.2. The flight control system 
modifications have been tested in the 
simulator, and one closed loop (pitch 
and yaw) flight has been completed. 
The system currently is cleared to a 20- 
degree angle-of-attack (AOA) with a 
potential to trim to a 70-degree AOA. A 
follow-on activity will incorporate 
forebody control blowing in the nose for 
yaw control experimentation. 

The X-29 AOA program has completed 
85 flights with very stable controllability 
up to 45 degrees. The vehicle has been 
flown to 70 degrees; however, loss of 
vertical tail effectiveness causes a 
reduction of yaw control above 40- 
degrees AOA. A strong forebody/wing 
vortex impinges on the vertical tail. This 
can cause a fatigue problem and needs 
to be monitored. 

The F-15 Highly Integrated Digital 
Electronic Control (HIDEC) program 
has completed 36 flights. It has 
demonstrated excellent performance 
gains by implementation of its real-time, 
adaptive optimization of the flight 
control, engine, inlet, and engine nozzle. 
Of great importance is the propulsion- 
only flight control for landing with no or 
reduced control of the aerodynamic 
surfaces. This has application to both 
civil and military aircraft. 

The SR-71B (two-seat) is to be flown for 
a year to assess and determine a set of 
research programs than can best be 
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performed on this aircraft. NASA is 
fortunate to have been given a wealth of 
spare parts by the Air Force. Also, the 
SR-71B had completed its periodic depot 
maintenance check prior to being 
assigned to NASA. Two SR-71As have 
been acquired by NASA and are being 
placed in flyable storage pending the 
definition of suitable flight test activities. 

The F-16XL aircraft currently is being 
flown to evaluate the ability to produce 
laminar flow in the surface of a highly 
swept (65 degrees on the leading edge) 
supersonic wing. A portion of the left 
wing has been fitted with a glove 
containing suction holes for removing 
the boundary layer. A turbo-compressor 
is mounted in the fuselage to produce 
the wing suction. Concerns were 
expressed over the potential for turbine 
wheel failure with potential ensuing 
damage to the aircraft. The flight tests 
were begun in March 1991. 


The B-52 currently is being used as a 
launch vehicle for the Pegasus space 
vehicle. The first two of the planned six 
flights have been accomplished 
successfully. The gross weight of the 
Pegasus is approximately 42,000 pounds, 
which is well within the load carrying 
capability of the NASA B-52 pylon that 
previously was used to launch the X-15 
aircraft. 

Another interesting test program utilizes 
the Convair 990 aircraft for dynamic 
tests of the Shuttle landing gear. The 
Orbiter speeds and weights can be 
duplicated to evaluate tire wheel 
performance on various landing surfaces. 

Overall, the assessment of the ASAP is 
that these programs are being managed 
with an acceptable emphasis on flight 
safety through a rigorous process of 
analyses and safety reviews. 
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D. OTHER 


Ref: Finding #41 

Reports from crew members on extended 
Space Shuttle missions that involved two 
shift operations indicated that they 
experienced some difficulty in achieving 
restful sleep. This phenomenon is not 
unusual when circadian rhythms must be 
shifted. These problems are similar to 
those experienced by aircraft flight crews 
in long-haul operations. A program of 
research and countermeasure 
development on crew rest cycles and 
circadian rhythm shifting to support both 
Space Shuttle and Space Station 
operations is needed to address this 
problem. This program could 
productively be modeled after the 
ongoing NASA aircrew research being 
conducted at the Ames Research Center 
(ARC). 

Ref: Finding #42 

In analyzing the causes of aircraft 
accidents and near accidents over the 
last decade or more, case investigators 
have come to rely increasingly on clues 
furnished by experts in human 
engineering. Individualistic behavioral 
patterns performed under stress, in some 
instances, have been identified as prime 
contributors to the accidents. Extensive 
worldwide military and civil aviation has 
provided a broad data base for such 
analyses. In contrast, the data base for 
manned spaceflight and associated 
ground operations is relatively small and 
of recent origin. As a consequence, little 
interest has been shown in harnessing 
this discipline to spaceflight programs. 
Nevertheless, as Space Shuttle flight 
duration is increased to 30 days or more, 
and SSF is activated, the potential for 


accidents attributable to human error 
will increase. For example, sleeplessness 
and boredom have been highlighted as 
the reason for several airplane accidents. 
Therefore, the time may be opportune to 
enlist the insights of human engineering 
to help prevent accidents in the manned 
space programs attributable to such 
situations. 

NASA possesses competent in-house 
capabilities in human engineering, 
especially at ARC and JSC. ARC, in 
particular, has made frequent 
contributions affecting aviation safety 
whereas JSC’s role principally has 
involved astronaut’s experiences in 
spaceflight. Coordination and 
information exchange between these two 
Centers has not been as effective as it 
might be; this is partially due to the 
different programmatic responsibilities. 
However, with the beginning of 
operational planning for SSF, NASA 
should bring about a closer relationship 
between these programs and potentiate 
efforts to enlist human factors research 
as an agent to prevent human errors in 
space activities. 

Ref: Finding #43 

NASA has a hierarchy of reporting 
systems for mishaps and incidents. 
Formal documentation, including NMI 
8621.1, which is currently in revision, 
defines the various levels of mishaps and 
investigation and reporting requirements. 
At the top level, NASA operates the 
NASA Safety Reporting System (NSRS). 
Although named and modeled after the 
Aviation Safety Reporting System 
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(ASRS), that NASA runs for the FAA, 
NSRS is not its analog. ASRS was 
designed to provide data on near-misses 
and human errors in the aviation system 
(pilots, controllers, and mechanics), 
which otherwise would have gone 
unreported because they did not result in 
property damage, injury, or a detected 
violation. It is a voluntary system of 
self-reports with the reporter being 
granted limited immunity in some cases. 

NSRS was developed in the aftermath of 
the Challenger accident to provide a 
direct line to NASA top management so 
that people in the system at any level 
could surface a safety concern if they 
believed it to be of sufficient 
importance. It perhaps is unfortunate 
that NSRS was named after ASRS 
because their objectives are quite 
different. 

Even though it is lightly used, NSRS 
provides a valuable service by providing 
a potential safety valve for reporting 
Challenger-like situations. However, 
NASA has no system analogous to ASRS 
that allows people to report their own 
errors or near-errors in an anonymous 
manner at the local level. The new task 
team approach emerging at KSC 
encourages some reporting of this type 
but appears neither to structure it nor to 
provide any expert analysis of the 
information collected. 

NASA is lacking a mechanism for 
reporting those events in which an error 
happens and is recognized by the person 
involved or an observer but does not 
result in a defined accident, incident, 
close call, or reportable violation. For 
example, a technician working on a fuel 
cell might momentarily cap a vent line 
that is not to be capped but immediately 
realize his/her error and remove the cap 


before any damage occurs. Likewise, 
someone may start to turn a bolt the 
wrong way but realize the mistake before 
the action takes place. These types of 
situations do not get attention unless 
someone involved perceives a fix. In this 
case, a suggestion may be generated to 
management in the hope of receiving 
some recognition. Otherwise, the 
situation goes largely unreported. 

Because the existing reporting systems 
go outside the local environment (e.g., to 
Safety or to Center or Headquarters 
management) it is likely that a "near- 
error" is perceived as too 
inconsequential to warrant a report. 
This is exactly the opposite of the ASRS 
situation in which pilots, controllers, etc., 
have been encouraged to make a report 
of any such event, no matter how 
insignificant it seems. Trained analysts 
then can look across events for patterns 
indicating an emerging problem or 
within a particular occurrence for 
possible remedies. 

The clear benefits from collecting 
information on human errors does not 
imply that an additional, highly 
structured reporting system is required. 
Inclusion of a training module for task 
teams and quality working groups might 
be sufficient if a way were devised to 
amass and analyze the information over 
time. The major benefit of systems such 
as the ASRS is that they permit trained 
analysts to spot emerging safety 
problems and trends before they lead to 
accidents. 

Ref: Finding #44 

There were two indications of a quality 
control problem having to do with the 
Tethered Satellite System (TSS) 
program. The first occurred when a 
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spare clutch to the vernier motor failed 
its acceptance test due to the failure of 
bonding between the rotor and the cork 
clutch material- The shelf life of the 
bonding had been exceeded. A question 
exists regarding the flight clutch because 
the bonding material shelf life is 
uncertain. Investigation revealed that 
neither the flight article nor the failed 
spare unit had an adequate build paper 
with quality assurance acceptance. 
There are two other flight clutch 
assemblies that do possess the proper 
documentation. 

The primary control of the trajectory of 
the TSS is the rate of extension or 
retraction of the tether. Since an 
accurate analytical prediction of the 
system dynamics is directly related to the 
ability to control roll, all components of 
the system, including the clutch, should 
be without operational uncertainties. 

The other problem involved a shipment 
of 15-5 stainless steel material that was 
marked incorrectly as not needing heat 
treatment. It was used erroneously to 
manufacture 18 parts in the mechanism 
that deploys the TSS. Therefore, these 
18 parts have a lower hardness and 
strength than was intended - assuming 
they had been heat treated. Initial 
investigation by NASA and Martin 
Marietta indicate the parts will not have 
a critical impact on the operation or 
safety of the TSS. 

Ref: Findings #45 and #46 

Current plans for long-term use of the 
Space Shuttle, and assembly and 
operation of the SSF suggest a continued 
and increasing need for extravehicular 
activities (EVAs). Although excellent 
efforts have been mounted and are 
ongoing to reduce the need for EVAs 


whenever possible, contingencies, design 
requirements, and economics each will 
dictate the need for some EVA 
activities. These EVAs must be 
supported by an appropriately designed 
extravehicular mobility unit (EMU) and 
associated space suit. For example, 
current projections for the on-orbit 
repair of the Hubble Space Telescope 
(HST) call for three separate EVAs, 
each lasting over 6 hours. This is a more 
ambitious EVA profile than previously 
has been attempted. 

As the demand for both the number and 
duration of EVAs increases, the benefits 
possible from an improved EMU and 
suit to support them become clear. 
Existing suits and their associated 
portable life support system (PLSS) have 
several characteristics that limit their 
flexibility and utility. They operate at 
low pressure thereby requiring extensive 
prebreathing of pure oxygen to avoid 
problems associated with nitrogen 
bubbles in the blood ("the bends"). This 
could be severely limiting if an 
emergency EVA or an EVA evacuation 
is needed from the Space Station. Even 
if sufficient prebreath time is available, 
this activity places additional workload 
on the EVA crews, which might be more 
productively allocated to the EVA 
activity. This, in turn, could potentially 
reduce the number of EVAs required 
because crew members could work more 
productively and accomplish more on 
each EVA. In addition, the 
refurbishment and sizing of the existing 
suits is extremely time-consuming and 
labor intensive and can now only be fully 
accomplished on the ground. 

NASA already has explored the 
technology needed to overcome these 
problems. Two programs, the AX-5 at 
the ARC and the Mark 3 at the JSC, 
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have built and tested prototype suits that 
do much to overcome the problems 
inherent in the current design. Neither 
the AX-5 nor the Mark 3 are complete 
solutions to all of the problems inherent 
in having humans work in space. 
However, they successfully have 
demonstrated that a more flexible design 
capable of on-orbit maintenance and 
sizing and eliminating or reducing 
prebreathing requirements is possible. 
They have further demonstrated that 
there are no significant technological 
issues associated with producing these 
improvements. 

Existing budgetary constraints have 
prompted the deletion of most funding 
for completing development of an 
advanced suit and EMU. Because the 
existing suits continue to perform 
satisfactorily on Space Shuttle missions, 
a decision to defer some or even most of 
the costs of developing a new suit is not 
unreasonable. However, it is clear that 
the ultimate implementation of SSF can 
be greatly enhanced by an improved suit 
design. Therefore, NASA should 
commit to specification and development 
of a new suit, and establish its 
implementation schedule consistent with 
budget availability. One possible 
pathway to upgrading the suit design 


would be to couple the existing PLSS 
with a new suit based on AX-5/Mark 3 
technologies. The PLSS could be 
modified to operate at a higher pressure 
to reduce prebreathing time and take 
maximum advantage of the design 
qualities of the new suits. As funds and 
time permit, the PLSS could be replaced 
with an upgraded EMU that could be 
based, in part, on lessons learned from 
the already planned extended EVAs for 
HST repair and Space Station assembly. 
It also would seem wise for NASA to 
support the research necessary to 
characterize more fully the bends risk 
associated with micro-gravity EVA 
activities. Existing tables relating 
prebreathing time and atmospheric 
pressure are based on pressure chamber 
and deep sea diving experience. While 
these are good analogies, they ignore the 
influence of micro-gravity and the 
exertion levels expected of EVA 
astronauts. NASA has the research 
expertise and the data collection 
opportunities during on-ground 
simulations and Space Shuttle flights to 
collect the data necessary to clarify this 
issue. A potential side benefit of 
conducting this research would be a 
significant clarification of the need for 
and use of hyperbaric airlocks on the 
Space Station. 
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APPENDIX B 

NASA RESPONSE TO MARCH 1991 ANNUAL REPORT 


SUMMARY 

In accordance with the Panel’s letter of transmittal, NASAs response dated June 17, 
1991, covered the "Findings and Recommendations" from the March 1990 Annual 
Report. 

Based on the Panel’s review of that response and the information gathered during the 
1990 period, the Panel considers that the following 3 of the 34 original items noted in 
the June 17th response are "open" at this time: 


FinHinp/Reeommendation No. and Subject 

Comments 

#2 

Space Shuttle Autoland System 

The Panel will continue to follow the 
Autoland progress. 

#4 

Space Shuttle Software Verification 
and Validation 

The Panel will revisit this system. 

#10 

Integration of ASRM/RSRM Plan 

Schedule problems warrant Panel 
review. 
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NASA 

National Aeronautics and 
Space Administration 

Washington, D C 
20546 

Office of the Administrator 

JIJN | r 1991 


Mr. Norman R. Parmet 
Chairman 

Aerospace Safety Advisory Panel 
5907 Sunrise Drive 
Fairway, KS 66205 



In accordance with your introductory letter to the 
March 1991 Aerospace Safety Advisory Panel (ASAP) Annual Report 
I am enclosing NASA's detailed response to Section II, "Findings 
and Recommendations." ^ 

The dedication of the ASAP members to NASA continues to be 
commendable. Your recommendations have helped reduce risk and 
improve safety in NASA manned/unmanned programs and projects. 
Your efforts are greatly appreciated. 

thank you and your fellow Panel members for your 
valuable contribution and look forward to the next report. As 
always, ASAP recommendations are highly regarded and receive the 
full attention of our senior management. 

Sincerely, 



Enclosure 


B-2 



FINDINGS AND RECOMMENDATIONS 


A. SPACE SHUTTLE PROGRAM 
SPACE SHUTTLE ELEMENTS 
Orbiter 

Finding #7 : NASA has planned to implement the wing/fuselage modifications indicated by 
the results of the 6.0 load analysis. Modification work has been scheduled for OV-102, and 
plans are being developed for the remainder of the fleet. • 

Recommendation #7 : The implementation of these modifications should be 
accomplished as soon as possible so that the restricted flight envelope (green 
squatcheloid) parameters can be safely upgraded. 

NASA Response : Concur. Modifications are scheduled for each vehicle’s Orbiter 
Maintenance Down Period (OMDP). The OMDP has been incorporated into the Space 
Shuttle Program to provide dedicated times for performing detailed vehicle structural 
inspections, subsystem inspections and internal functional checks as well as modifications. 
All vehicle modifications will be complete by mid- 1993. 

Finding #2 : The uncertainties surrounding crew performance after extended stays in space 
suggest a need for an alternative to manual landings. 

Recommendation #2 : The Space Shuttle Program should complete the development of a 
reliable autoland system for the Orbiter as a backup. 

NASA Response: Concur. The existing Shuttle autoland system is certified and is a 
reliable backup for 16-day Extended Duration Orbiter missions. A significant program 
to collect crew performance data is being undertaken by the Office of Space Science and 
Applications during flights involving incremental increases of on-orbit duration. Current 
plans involve flying four 10-day flights and three 13-day flights prior to the first 16-day 
flight. Crew performance data will be evaluated and must be judged acceptable prior to 
commitment to the next increment of extended duration. 

Finding #3 : With plans to extend Orbiter use well into the next century, it will be necessary 
to upgrade the Orbiter computer systems several times. The present, rather ad hoc, approach 
of treating each upgrade as an independent action will be unsatisfactory for the long term. 

Recommendation #3 : NASA should accept the need for an upgrade involving a 
complete software reverification approximately every 10 years. A study should be 
undertaken to plan a path of evolution for all future changes in avionics computer 
hardware and software for the life of the Space Shuttle Program. The study should 
involve independent assessment to ensure the broadest possible perspective. 
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NASA Response; Concur. NASA has just completed integrating the Improved General 
Purpose Computer (IGPC) into the fleet. This upgrading of the orbiter computers 
included an extensive reverification of the flight software. Integrated testing of the flight 
hardware and software was one of the milestones in the certification of the IGPC 
hardware and flight software. In addition, the Shuttle software is incrementally upgraded 
and released for flight approximately every eight months. These upgrades are validated, 
verified, and certified through an extensive and thorough process. Future computing 
capability beyond recent incorporation of the IGPC is under development in the Assured 
Shuttle Availability (ASA) Program in the Multifunction Electronics Display Subsystem 
(MEDS). The plan for the subsequent 10-15 years involves maintaining the existing 
system. Issues involving obsolescence and enhanced performance will continue to be 
reviewed. 

Finding #4: The Space Shuttle flight software generation process is very complex. It 
includes numerous carefully designed safeguards intended to ensure that no faulty software is 
ever loaded. When errors have occurred, or when concerns have been raised about steps in 
the procedure, new safeguards have been added. The whole process is long, complicated, 
and involves a plethora of organizations and computers. 

Recommendation #4 : NASA should conduct an independent review of its entire 
software generation, verification, validation, object build, and machine loading process 
for the Space Shuttle. The goals should be to ascertain whether the process can be made 
less complex and more efficient. 

NASA Response : Concur. An independent review has been completed of NASA’s entire 
software generation, verification, validation, object code build, and machine loading 
process. As part of the post-5 1L activity, NASA contracted with Intermetrics Inc., as the 
independent verification and validation (IV&V) contractor. NASA is developing a policy 
to define the scope of our independent oversight activity. To assist in this task, NASA 
has requested the National Research Council to perform an independent review of the 
IV&V process to include software generation, object code build, and machine loading. 

Space Shuttle Main Engine (SSME) 

Finding #5 : The SSME is now available in sufficient numbers to support all the Orbiters. 

A suitable number of spare engines are available at the launch site. 

Recommendation #5 : Keep up the good work while recognizing any demands imposed 
by changes in planned launch rates. 

NASA Response : Thank you. We intend to maintain a good posture on spare engines. 

Finding #6: The program to develop safety and reliability improvements to the current 
SSME is meeting with a large degree of success. However, some components, like the pump 
end of the High-Pressure Oxidizer Turbopump (HPOTP) and the two-duct power head have 
not been successful. The bearing housing at the pump end of the HPOTP has not met its 
objectives, and an operational solution has been devised to accommodate the resulting small 
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number of allowable reuses between overhauls. Premature combustion chamber cracking 
and injector erosion were experienced with the two-duct powerhead. 

Recommendation #6: Continue the development and certification of the safety 
improvements so that they may be incorporated at the earliest possible time. 

NASA Response : Concur. The SSME Project is continuing certification of both the 10K 
pumps and development of the two-duct powerhead through hot-fire testing at SSC and 
detailed engineering reviews of the test results. This effort will continue to develop 
these safety improvements for incorporation at the earliest possible time. 

Finding #7: The Alternate Turbopump Program has encountered a number of design 
problems during testing. Fixes are being incorporated and fed into development testing. 
Planning for completion of component-level testing and entering the engine-level test phase is 
very optimistic, especially in view of the difficulties experienced in completing test runs on the 
component test stand. 

Recommendation #7 : Schedule pressures can engender the temptation to truncate the 
component test plans and objectives. Do not compromise the objectives and 
thoroughness of the planned component test program to start engine-level testing at the 
time currently scheduled. 

NASA Response : Concur. In recent weeks, component-level testing for the alternate 
turbopump development (ATD) program has provided improved testing results. Using 
SSC testing to supplement component testing will add to the fidelity of the component 
testing program. The ATD Test Program will not truncate or compromise the objectives 
and thoroughness of the planned component testing. 

Redesigned Solid Rocket Motor (RSRMt and Advanced Solid Rocket Booster (ASRB) 

Finding #& • NASA is planning to use the existing Solid Rocket Booster aft skirt on the 
Advanced Solid Rocket Booster. The requisite Factor of Safety is to be achieved by biasing 
the spherical bearings at the hold-down posts. 

Recommendation #& • The aft skirt design for the Advanced Solid Rocket Booster should 
be inherently strong enough to achieve a Factor of Safety of 1.4. 

NASA Response : A factor of safety of 1.4 is not necessary for the Redesigned Solid 
Rocket Booster Aft Skirt since the loading of this structure is well understood. The 
Space Shuttle Program has been operating the current Solid Rocket Booster (SRB) with 
an aft skirt factor of safety of 1.28. The current radial biasing of the Spherical Bearings 
assures that this 1.28 factor of safety is achieved. Additional radial biasing, improved 
loads definition, and possible structural modifications, are being studied for their 
potential to further increase the factor of safety for the ASRB. 

Small inward biasing of the pedestal spherical bearings has been used successfully since 
STS-28 as a means of increasing structural factor of safety. The biasing imparts a 
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compressive preload in the area of the critical aft skirt weld, thus helping to offset the 
tensile load induced there during SSME Thrust Build-up. 

Efforts are also underway to improve even further the definition of Aft Skirt loads. 

Strain gauge instrumentation on skirts has provided an extensive data base since STS-26 
and such data gathering will continue on the current SRB. An improved definition of 
ASRB Aft Skirt Loads will be available as the ASRB Structural Models are developed. 
Also, structural modifications are being studied that will enhance the load carrying 
capability of the skirts for the ASRB. With biasing and structural modifications, the aft 
skirt factor of safety will be maximized, but achieving a safety factor of 1.4 is not an 
absolute requirement. 

Finding #9: The Redesigned Solid Rocket Motor manufacturer has made impressive strides 
in the quality of industrial operations. Incorporation of existing state-of-the-art automation 
for manufacturing and assembly processes is continuing. 

Recommendation #9: Continue the industrial enhancements to achieve further reduction 
of requirements for hands-on labor and increased product quality. 

NASA Response: Concur. NASA is incorporating enhancements in the Thiokol 
Redesigned Solid Rocket Motor manufacturing facilities and processes in the areas of 
propellant mixing, casting, and in final assembly operations. These enhancements 
involve new facilities for automated propellant premix, sample casting, a modified 
oxidizer facility, and new propellant analysis equipment. For final assembly, there will 
be a new six-bay segment processing building with vertical nozzle installation capability 
and other handling improvements. 

Finding #10 : The use of the Advanced Solid Rocket Motor and Redesigned Solid Rocket 
Motor during the same time frame will pose procedural and test challenges because of their 
different configurations and performance characteristics. 

Recommendation #10 : NASA and its contractors should develop a well integrated plan 
for such concurrent operations. 

NASA Response : Concur. An integrated plan to govern program transition from SRB 
Operations to ASRB Operations is under development. This plan will show how Space 
Shuttle Program goals will be met within the technical constraints involved in integrating 
a new element into Shuttle operations. The development of the SRB-to-ASRB transition 
plan is scheduled to be completed by July 1991. Once complete, this transition plan will 
be incorporated into the System Integration Plan and controlled at Level II. This will 
ensure that any proposed changes to the transition plan will receive total program 
review. 

Finding #//.• The test program for the Advanced Solid Rocket Motor/Advanced Solid 
Rocket Booster has been well planned and uses the many lessons learned from the ongoing 
Redesigned Solid Rocket Motor project. There are, however, a number of uncertainties 
including characterizing the physical and manufacturing properties of the case material. 
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Recommendation #77 : The project should provide an allowance for contingencies 
beyond those indicated in the current schedules and budgets to account for proper 
closure/resolution of expected test results. 

NASA Response: The ASRM Program cost/schedule is under review as Congress 
considers the FY 92 Budget request. Our desire is to have a reasonable allowance for 
schedule reserve, but budget pressures will likely drive us to a somewhat success oriented 
schedule where further schedule margin will have to come from first flight date. 

Finding #/2: NASA has embarked upon an ambitious program of automation for 
manufacturing the Advanced Solid Rocket Motor. The new automation will be a significant 
step forward and an impressive accomplishment. However, there are concerns about the 
feasibility of completing automation of this scale in the time frame indicated. Therefore, 
there may be significant delays in the availability of the Advanced Solid Rocket Motor. 

Recommendation #12 : NASA should be prepared to extend use of the Redesigned Solid 
Rocket Motor beyond current plans. 

NASA Response : Concur. A 1-year overlap of RSRM and ASRM is planned to cover 
contingencies. While the degree of automation planned for the ASRM manufacturing 
facilities is ambitious, the process development involves an acceptable degree of schedule 
risk. Since construction of facilities and development of the manufacturing processes 
precedes the design verification phase of the program, any schedule delays would occur 
at a time when adjustments to extend the use of the RSRM can be made. 

Finding #13 : It is planned to move the highly instrumented T-97 Solid Rocket Motor 
Dynamics Test Stand from Utah to the Stennis Space Center in Mississippi for use during the 
Advanced Solid Rocket Motor Program rather than constructing an equivalent new test 
stand. This will leave the current Redesigned Solid Rocket Motor Program without a 
dynamic test facility support. 

Recommendation #13 : Retain the current T-97 dynamic test stand at the Utah site to 
support the Redesigned Solid Rocket Motor Program. A new dynamic test stand should 
be constructed for the Advanced Solid Rocket Motor at Stennis Space Center. 

NASA Response : Relocating the T-97 Test Stand Hardware to Stennis Space Center 
(SSC) is being considered as a cost-effective means of meeting the combined testing 
needs of the RSRM and ASRM Projects. It has been determined that neither the 
ASRM or RSRM test stands require dynamic (side load) test capability. This plan 
leaves the T-24 Test Stand at Thiokol for RSRM tests and moves the T-97 Test Stand 
(without dynamic capability) to SSC for ASRM. 

External Tank (ET) 

Finding #14 : The external tank project is moving along very well. 

Recommendation #14 : Keep up the good work. 
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NASA Response : Thank you. 


Finding #75 : This past year, NASA management has postponed Space Shuttle launches 
when technical uncertainties existed, declared a hiatus during the Christmas season and 
interrupted launch operations until the cause of hydrogen leaks could be determined and 
resolved. This is clear evidence of NASA management’s commitment to the principle of 
"safety first, schedule second. " 

Recommendation #15 : NASA management should maintain this policy even as Shuttle 
launches become more frequent. 

NASA Response ? Strongly concur. 

Launch And Landing Operations 

Finding #16 : Reports indicate that launch processing operations at the Kennedy Space 
Center (KSC) are being carried out with a declining rate of incidents. This is a trend in the 
right direction since the extreme sensitivity of Shuttle launch processing requires reducing 
errors to the lowest possible levels. 

Recommendation #16 : KSC, the Shuttle Processing Contractor, and associate contractors 
should continue to make all possible efforts to reduce incidents. However, care must be 
exercised to ensure that any observed decrease in incident reports is not merely an 
artifact of the reporting system. In particular, if management’s response to incident 
reporting is perceived as punitive in nature, the net result may be a suppression of 
reporting with a resultant reduction in the information available to management on 
which to identify problems and design remedial actions. Total Quality Management 
(TQM) techniques can be of great assistance. Likewise, the inclusion of human factors 
professionals on incident investigation teams can be very beneficial. Therefore, KSC 
should consider both an enhanced TQM program and a broader use of human factors. 

NASA Response : Concur. KSC and the Shuttle Processing Contractor (SPC) are 
continuing to try to reduce incidents, even beyond the success we have had to date. We 
are accomplishing this through a network of preplanning, communication, and 
coordination that encourages everyone to work together and understand that they are an 
essential part of the task at hand. Management takes no punitive action against any 
worker for incidents unless it is clearly shown that the worker had a preconceived 
negative intent or makes the mistake repetitively (more than twice). For repetitive 
errors, the worker is simply reassigned to other tasks and/or retrained. Any repetitive 
error is automatically evaluated from the human factors viewpoint. It should be noted 
that human factors concepts have been used throughout the creation and verification of 
all Orbiter Maintenance Instructions (OMIs) and the initial performances of all tasks 
involved in vehicle processing. With quality control checks at all levels from planning, 
engineering, OMI creation, and progressive steps of task team work, we are practicing 
TQM and reducing incidents. We will continue to use enhanced TQM and a broader 
use of human factors, as appropriate. 
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Finding #17: There is a perception among some workers at KSC that disciplinary actions 
for errors are overly severe. 

Recommendation ±17: NASA and its contractors should make every effort to 
communicate the facts and rationale for disciplinary actions to the work force and 
involve workers in incident reviews. TQM techniques can be of great assistance. There 
is simply no substitute for sincere communication between management and labor in 
dispelling negative perceptions. 

NASA Response : Concur. NASA is very concerned about the potential that such a 
perception may exist. KSC and SPC have instituted a program of vertical and lateral 
communications that extends from the highest KSC management levels (both civil service 
and SPC) down through middle management, engineering, and the task team technical 
floor workers. Practices include weekly meetings at top management levels, daily reviews 
at middle management and throughout engineering, and per shift (or more) coordination 
sessions at the task team level. There are also horizontal channels for coordination from 
hands-on-workers, logistics/supply elements, and support operations. It is continually 
stressed throughout these channels that disciplinary action for errors will not be severe 
or punitive unless the errors or incidents result from clearly proven negative intent. All 
employees are advised of their obligation to come to work fit and able, and to perform 
the tasks carefully and successfully. Any error is discussed with the responsible employee 
and efforts made to help him or her understand how to avoid a repetition. 

Finding There are cases in which recurring waivers are sought and issued for the same 
subsystem or component on successive Space Shuttle flights. For example, waivers have had 
to be issued to fly with the tumble valve disabled on the external tank. 

Recommendation £18' Continuing waivers for the same condition should not be 
permitted. If it is deemed acceptable to fly repeatedly with a configuration that varies 
from specifications, the specifications should be altered rather than risk diluting the 
significance of waivers by making them routine. For example, the underlying 
specification for the tumble valve could be changed to require its inclusion only on high 
inclination launches. 

NASA Response : Concur in principle. The ASAP is correct in suggesting that there are 
continuing waivers where the specification can be changed; a good example is the tumble 
valve. Based on Flight Data for tanks with an active tumble system, the tumble systems 
were disabled on selected flights based on analysis of External Tank (ET) Rupture 
Altitude and the corresponding debris footprint. Flight and tracking data were used to 
determine the correlation between non-tumble system tank trajectories, ET motion, ET 
Rupture Altitude and the ET Debris Model. Based on these analyses and flight tests, 
the applicable specification was changed to preclude the necessity for continuing ET 
Tumble System Waivers. However, it should be pointed out that waiver disposition is 
never "routine." As outlined above, a request for waivers or to change a specification 
requires rigorous supporting data (many times flight data) presented through a series of 
at least three change control boards. Specifications have been, and will continue to be, 
changed where it is proved that the limits should be revised for all flights. 
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Mission Operations 


Finding #19 : The Mission Control computer support system is quite old, relatively slow, and 
has monochrome displays primarily of tabular data. The advantages of applying current 
technology to Mission Control are being explored with the Real-Time Data System at the 
Johnson Space Center (JSC). 

Recommendation #19 : NASA should embark upon a systematic process to replace the 
old Mission Control system with one based upon up-to-date computer and human 
interface system technology. 

NASA Response. : Concur. Since 1986, NASA has been in a phased process of upgrading 
the operational elements of the Mission Control Center (MCC) to incorporate advanced 
technology. This includes the replacement and upgrade of mainframe computers, and 
the placement over the last 2 years of current generation workstations in the MCC that 
are capable of using advanced techniques for analyzing and displaying data. These 
enhancements are part of a comprehensive multi-year plan developed to introduce new 
technology into the operating environment. 

ASSURED SHUTTLE AVAILABILITY PROGRAM 

Finding #20 : The majority of the safety and reliability enhancements that the Panel 
suggested be included in the Assured Shuttle Availability Program have been undertaken by 
NASA. It now appears that under this same label, NASA is undertaking a program of 
Space Shuttle modifications whose primary objectives are life extension and the elimination 
of obsolescence. This could lead to confusion. 

Recommendation #20 : The Panel urges that the two sets of objectives be pursued 
through independent, separately titled, but coordinated programs. 

NASA Response: The Space Shuttle Program considers safety changes to be the 
responsibility of the baseline program and funds are made available to implement these 
changes. A recent example is the modification of the Orbiter External Tank door 
fixture. This modification was not planned nor budgeted, but was immediately 
implemented. 

The objective of the Assured Shuttle Availability (ASA) Program is to keep the Shuttles 
flying well into the 21st century. The program addresses supportability, maintainability, 
and safety margin issues. Previously ad hoc programs will be combined in the future into 
a structured program that will prioritize candidates and manage the programs with 
managers whose primary function will be development programs. 

The current approved programs include the Multifunction Electronics Display Subsystem 
and the Hardware Interface Module. These programs are primarily obsolescence 
(supportability) programs. The other approved program, SSME Advanced Fabrication, 
replaces main engine obsolete manufacturing techniques by using castings versus 
weldments. The goal is to reduce cost and eliminate many Criticality 1 failures. The 
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Space Shuttle Program will continue to manage safety enhancements. The ASA Program 
primarily will provide program supportability, but also will increase safety margins, where 
applicable. 

LOGISTICS AND SUPPORT PROGRAM 

Finding #21 : The Orbiter logistics and support systems are continuing to evolve 
satisfactorily. The expansion of component overhaul and repair facilities at the launch site 
and in the nearby areas is most impressive. Liaison between all NASA Centers and 
contractors appears to be excellent, and the control and communications networks are being 
further improved. 

Recommendation #27: Continue with the philosophy of centralizing Orbiter spares 
support and overhaul/repair activity in the KSC area. Good work! 

NASA Response : Concur. Thank you. 

Finding #22 : The total elapsed time for repair and turnaround of many repairable 
components is still too high. Delays in accomplishing failure analysis appears to be a major 
part of the problem. 

Recommendation # 22 . : Continue to take all steps necessary to reduce turnaround time. 

NASA Response : Concur. Turnaround times continue to receive NASA management 
attention. KSC logistics personnel frequently review with the logistics contractor those 
items that have been in the repair process for longer than 180 days. These reviews 
provide an incentive for the logistics contractor to ensure that vendor repairs are not 
delayed for other than engineering concerns. In addition, the transition of repair 
capability from the original equipment manufacturers (OEMs) to the NSLD will 
continue to shorten overall turnaround time. The overall turnaround time for the last 3 
calendar years has decreased significantly: 194 days in 1988, 174 days in 1989, and 155 
days in 1990. 

Finding #23 : While the overall cannibalization problem appears to be under good control, 
there are still a few shortages of high-value items such as Auxiliary Power Units (APUs). 

Recommendation #23 : Review, once again, the critical supply issues in long-lead and 
high-value items to ensure an adequate spares level to avoid the safety problems 
associated with cannibalization. 

NASA Response : Concur. There are still a few shortages of high-value and long-lead 
items. These shortages are being addressed either through modification/improvement 
programs (as for the APUs) or through additional procurement (as for the reaction 
control system thrusters). 

Finding # 24 . : Out-of-production, aging, and obsolescent parts are a growing problem. 
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Recommendation £24 : Increased emphasis should be given to ensuring the availability of 
sufficient quantity of up-to-date hardware. 

NASA Response: Concur. NASA recognizes the potential problem posed by obsolete 
parts. KSC has instituted a three-part program to minimize the impact that obsolescence 
could have on orbiter logistics supportability. The program includes identification of 
potentially obsolete parts; evaluation of available prevention options; and tracking of 
obsolescence data, including actions taken. These actions are taken in conjunction with 
the Assured Shuttle Availability Program. The increased emphasis on parts obsolescence 
should ensure the ability of KSC to provide up-to-date hardware for orbiter launch 
processing. 

Finding #25 : There does not appear to be a comprehensive and realistic plan for scheduling 
and accomplishing major overhaul of the Orbiter fleet. 

Recommendation #25 : To help ensure structural integrity of each vehicle, much greater 
effort must be devoted to these tasks. A comprehensive program should be developed 
for the orderly overhaul of Orbiters that are expected to operate into the 21st century. 

NASA Response : Concur. The Space Shuttle Program has developed and instituted a 
plan by which the orbiter vehicles are inspected and modified every 3 years. This plan 
involves the use of specific orbiter flow periods commonly referred to as Orbiter 
Maintenance Down Period (OMDP) to perform vehicle structural inspections and 
modifications. The orbiter structural inspection will verify the integrity of primary 
structural elements of the vertical tail, flight control surfaces, aft fuselage, mid-fuselage, 
landing gear, crew module and forward fuselage. Critical elements will be inspected for 
corrosion, fatigue, deformation and cracks, which would result in reduced structural 
integrity. Flow periods of 188 days have been allocated for an OMDP. OV-102 is the 
first vehicle to be scheduled for an OMDP and will begin in FY 91. OV-103 and OV- 
104 are currently scheduled to begin their modification/inspections periods in FY 92. 

The Space Shuttle Program will continue to use OMDP’s to inspect and modify each 
orbiter throughout a vehicles operational lifetime to ensure each orbiter’s structural 
integrity and upgrade the systems as required to ensure operations through 2020. 

B. SPACE STATION FREEDOM PROGRAM 

Finding #26 : The Space Station Freedom Program has been plagued by technical, 
managerial, and budgetary difficulties since its inception. The instability of this program 
coupled with extensive externally stipulated design constraints has made it extremely difficult 
to conduct this program in a sound and orderly manner. The program has suffered from the 
absence of a clearly defined primary purpose that has resulted in an incomplete specification. 
Also, there has been a lack of effective systems engineering and systems integration activity. 

Recommendation #26 : The purpose and funding of the redefined Space Station 
Freedom Program must be firmly agreed upon by the Congress and NASA. Then, 

NASA should be permitted to organize and manage the program. Systems engineering, 
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system integration, and risk management must be integral and vital parts of the revised 
program. 

NASA Response : Concur. The restructured Space Station Freedom program plan 
successfully responds both to the guidance of the Congress on funding and function and 
to the recommendations of the Advisory Committee on the Future of the U.S. Space 
Program, the Augustine Panel. The restructured plan enjoys strong support from the 
Administration and from many elements of the Congress. This consensus should permit 
NASA to go forward with a stable program and a consistent interaction of engineering 
design and risk management. 


C. AERONAUTICS 


AIRCRAFT OPERATIONS 


Finding #27 : Past ASAP reports have cited concerns over the extent of Headquarters 
involvement in aircraft operations safety. During the past year, a reorganization and 
redelineation of Headquarters safety responsibilities has gotten underway. 

Recommendation #27 : NASA should follow through with the implementation of 
Headquarters policies regarding the safety of the operation of NASA’s aircraft. 

NASA Response : Concur. The responsibilities for aviation safety and aircraft operations 
have been clarified. New management instructions have been drafted to document the 
responsibilities. These instructions are in their final coordination phase. NASA will 
follow through with the implementation of these policies. 

RESEARCH AND TECHNOLOGY 

Finding #28 : The joint Air Force/NASA high angle of attack program conducted at the 
Dryden Flight Research Facility has been a model of safe and efficient experimental flight 
testing. 

Recommendation #28 : NASA should document the experience of this flight test 
program in the tradition of the NASA/NACA flight test reporting. 

NASA Response : Concur. Flight test results will be documented thoroughly, and findings 
and lessons learned will be disseminated NASAwide. Aeronautical Research Flight Test 
Programs in NASA will continue to be the model for safe and efficient experimental 
flight testing for the U.S. aviation community. Safety will continue to be the most 
important principle in our research and testing programs, and this philosophy will be 
clearly presented in all related documentation. 
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D. SAFETY AND RISK MANAGEMENT 


MISSION SUPPORT 

Finding # 29: The use of Fault Tree Analysis and Failure Modes and Effects Analysis 
techniques proved to be valuable in solving the hydrogen leak problems on STS-35 and STS- 
38. Their use led to the identification of probable sources of the hydrogen leaks, the 
probable causes of these leaks, and the nature of the corrective actions needed. 

Recommendation #29: Use of these techniques for problem resolution should be 
encouraged throughout NASA. Suitable training programs should be established to 
ensure proper implementation. 

NASA Response; Concur. Fault-tree analysis (FTA) and Failure Modes and Effects 
Analysis (FMEA) are techniques fundamental to the NASA systems engineering 
disciplines. They are used throughout system development to enable early identification 
of problems, and assign hardware and software criticality. Critical Item Lists (CILs) are 
tabulated by criticality level and require review, resolution, or waiver before flight is 
approved. FTA is used by the safety organizations to provide top-down analyses of 
safety-critical problems, while the FMEA is a bottom-up approach that begins at the 
parts level. Both formal and informal on-the-job training in these techniques is provided. 

TOTALQmif^ 

Finding £30: NASA has a TQM program intended to improve quality and productivity 
within NASA and its contractors. The implementation of the TQM (or its equivalent) 
concept, however, has been quite variable across the NASA Centers and contractors. 

Recommendation #30: The principles of TQM have merit when implemented by a 
dedicated and concerned management. NASA should implement a consistent TQM 
methodology that ensures adherence to those principles and participation of all levels of 
the work force. 

NASA Response: Concur. NASA’s ongoing emphasis on quality and productivity 
improvement (QPI) began in 1982, with an internal and external focus. In 1986, a 
special emphasis was placed on the external efforts in recognition that the majority of 
the NASA budget is allocated to contractors. In fact, Martin-Marietta/Michoud (which 
was referenced in the ASAP report) was evaluated under the NASA Excellence Award 
Program and won in 1987 for their quality achievements. In 1989-90, a renewed 
emphasis was placed on internal QPI programs, while still maintaining our external 
efforts. In February 1990, NASA formally launched an internal TQM initiative, and 
recently conducted a NASAwide TQM assessment. We are now planning an internal 
TQM evaluation initiative patterned after the George M. Low Trophy (NASA’s Quality 
and Excellence Award program) using TQM criteria contained in the President’s Award 
for Quality and Productivity Improvement. NASA top-level management is committed 
to successfully implementing the TQM program and will be directly involved in 
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formulating strategies for achieving NASA TQM program goals. The TQM Steering 
Committee, consisting of NASA senior management, will report on the status and 
progress of TQM implementation at their Fall 1991 meeting. 

SAFETY plPQiniNO 

Finding #31 : NASA has a management instmction ( NMI 8621. IE) that addresses "Mishap 
Reporting and Investigation. " This NMI includes a specification of board composition. It 
does not, however, realistically address the need for human factors input in such 
investigations. It notes that if human factors are thought to be substantially involved, then 
human factor input is to be sought from a "NASA or resident NASA contractor physician" 
rather than a trained human factors expert. Also, this NMI does not require investigation of 
"close calls. " 

Recommendation #31 : Inclusion of a member on the incident/accident investigation 
board with specific human factors expertise should be given much greater consideration. 
"Close-call" investigations should be more formalized. 

NASA Response : Concur. NASA is investigating the human element in all NASA 
mishaps. Efforts are currently underway to refine and update NMI 8621. IE. Part of this 
effort will be the transition of NASA Mishap Investigation Board Membership 
requirements to the Basic Safety Manual, NHB 1700.1. Consideration will be given to 
incorporating a requirement to have a Human Factors Engineering professional assigned 
to a NASA Mishap Investigation Board during this transition. The NASA Headquarters 
Safety Division is sponsoring a Human Error Avoidance Project at KSC that includes 
funding for a full-time Human Factors Engineering professional. This individual will be 
available to participate in future mishap investigations at KSC. Formalization of the 
NASA close-call investigation process is also a NASA concern. The update to NMI 
8621. IE will stipulate investigation of Type A, B, and C mishap-related close-calls as a 
requirement in the Basic Policy for NASA Mishap Reporting and Investigation. Under 
the current policy, all close-calls must be reported; close-call reports are evaluated at 
NASA Headquarters and, when necessary, an investigation board is established. 

E. OTHER 


NASA FACILITIES 

Finding #32 : NASA has undertaken a well organized, 5-year program for safety and 
operational renovation/revitalization of some of its major experimental research facilities. 

Recommendation #32 : NASA and the Congress should continue to keep in focus the 
importance of preserving and periodically updating the physical plants and research 
facilities at NASA Centers. The current program should be continued and extended to 
cover the facilities that were not included because of funding limitations. 
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NASA Response: Concur. There should be a continuing focus on the importance of 
preserving and periodically updating the physical plants and research facilities at the 
NASA Centers. NASA’s current efforts emphasize the rehabilitation and modernization 
of their 40- to 50-year-old wind tunnel facilities. 

EXTRAVEHICULAR MOBILITY tlNITS/SPACE StJIfS 


Finding #33 : NASA ’s current plans for Space Station and the Space Exploration Initiative 
will inevitably involve the need for both planned and contingency extravehicular activities 
(EVA’s). 

Recommendation #33: The planning and design for Space Station and other manned 
space exploration programs should make every attempt to minimize dependence on 
EVA. In addition, NASA should undertake the development of an improved 
Extravehicular Mobility Unit that eliminates or reduces the maintenance and operational 
problems inherent in the current suit designs. 

NASA Response! Concur. The planning and design for the Space Station Freedom 
(SSF) and other manned programs should minimize extravehicular activity (EVA). 
Subsequent to the SSF External Maintenance Task Team (EMTT-Fisher-Price) study, 
the External Maintenance Solutions Team (EMST) was formed to evaluate EMTT 
findings/recommendations and provide further recommendations for mitigating EVA 
requirements. Many of the EMST recommended actions were incorporated by program 
management and additional actions were developed during the restructuring activity; 
other recommendations are still being evaluated. NASA concurs that development of an 
improved Extravehicular Mobility Unit (EMU)/Space Suit is desirable but budgetary 
constraints preclude pursuing that activity at this time. Two candidate designs for the 
EMU have been studied at the Johnson Space Center and Ames Research Center. 

TETHERED SATELLITE SYSTEM (TSS) 

Finding #34: The tethered satellite concept involves potentially operational activities that 
have never been attempted and that cannot be simulated on the ground before flight. 

Hazard studies and analyses have revealed the possibility of the Orbiter becoming adversely 
affected by the tether in the event of a malfunction during extension, while deployed, during 
retraction, or during stowage. 

Recommendation #34 : Program risk management should continue to focus on the results 
of the principal hazard analyses and their implication for Space Shuttle and satellite 
control. 

NASA Response: Concur. The risk management process for the Tethered Satellite 
System (TSS) continues to focus on hazard analyses and their implications for the Space 
Shuttle Program. There is an operating strategy that assures all potential satellite 
control issues will not become hazardous to the Shuttle. A "Safety of Flight" operations 
envelope is being defined using performance gates that assure Orbiter maneuvers used to 
avoid contact (breakout techniques) remain viable during all TSS mission phases. The 
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"Mission Success" operations envelope is contained within the safety of flight envelope so 
that mission success will not conflict with safety. The performance gates will be reflected 
in the flight rules and console documentation. The hazard analysis and safety review 
process along with operations working groups are proceeding at greater levels of detail 
to continue to implement this strategy. 
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APPENDIX C 

AEROSPACE SAFETY ADVISORY PANEL ACTIVITIES 
FEBRUARY 1991 - JANUARY 1992 


FEBRUARY 

19-22 

26 

MARCH 

22 

APRIL 

30 

MAY 

1 


2-3 


9 

21 

22 

22 

28 

TUNE 

17-19 

19 


19 

20 


Aerospace Medicine Advisory Committee Meeting; NASA Headquarters 
Space Station Work Package #4 Rocketdyne Briefing; Cleveland 

ASAP Annual Report to Administrator; NASA Headquarters 

Intercenter Aircraft Operations Panel Meeting; Cocoa Beach 

Intercenter Aircraft Operations Panel Meeting; Cocoa Beach 
Intercenter Aircraft Operations Panel; Washington, DC 
Space Shuttle Orbiter Autoland; Johnson Space Center 
Space Station Program; NASA Headquarters 
Space Shuttle Program; NASA Headquarters 
Office of Management and Budget; Washington, DC 
NASA Safety Reporting Systems; NASA Headquarters 

Aerospace Medicine Advisory Committee Meeting; NASA Headquarters 

Space Station Restructure and Space Shuttle Main Engine; Rocketdyne, 
Canoga Park 

ASAP Management Meeting; NASA Headquarters 
Space Shuttle Orbiter Autoland; Johnson Space Center 
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JUNE (ConU 


National Research Council Panel on Advanced Solid Rocket Motor; 
Washington, DC 


25 


JULY 

16-17 

AUGUST 

5 

6 
6 
7 
9 

12-13 

20 

21 

21 


Space Shuttle Launch and Landing Processing; Kennedy Space Center 

Advanced Solid Rocket Motor; Aerojet, Sacramento 

Aeronautical Programs and Human Performance; Ames Research Center 

Space Shuttle Performance; Rockwell, Downey 

Flight Programs; Dryden Flight Research Facility 

Space Station Freedom Program, Level I; NASA Headquarters 

Space Station Freedom Program, Level II; Reston 

Space Shuttle Processing/Operations; Kennedy Space Center 

Space Shuttle/Space Station Logistics, Kennedy Space Center 

Advanced Turbopump Development Program; Pratt & Whitney, West Palm 
Beach 


SEPTEMBER 

4-5 Redesigned Solid Rocket Motor/ Advanced Solid Rocket Motor; Marshall 

Space Flight Center 


OCTOBER 

9 Space Station Work Package #4; Lewis Research Center 

9-10 Space Shuttle Program Directors Management Review; Johnson Space 

Center 

16-17 Manned Space Flight Activities; Johnson Space Center 

18 Space Station Integration; Johnson Space Center 
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NOVEMBER 


6-7 NASA/Contractors Conference; Houston 

4-6 AIAA 4th Space Logistics Symposium; Cocoa Beach 

6-8 Integrated Logistics Panel; Kennedy Space Center 

7 STS-44 Flight Readiness Review; Kennedy Space Center 

13 Space Station Freedom, Work Package 2; McDonnell Douglas Company; 
Huntington Beach 

14 Human Factors, EVA; Ames Research Center 
DECEMBER 

4 Tethered Satellite System; NASA Headquarters 

10-11 Intercenter Aircraft Operations Panel; San Diego 
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